Hi Adding this this.
in AD i habe added 2 users , ben and jude. In my HBAC rule, i pointed this specific external group and (were these users) but while checking the rule from IPA server using hbactest, both users test passes and showing one rol. but in actual only ben can able to login to client machine , while jude cannot. [root@freeipa ~]# ipa hbactest --user *b...@kwttestdc.com.kw <b...@kwttestdc.com.kw>* --host client.kwttestdc.com.kw --service sshd -------------------- *Access granted: True* -------------------- Matched rules: test_admins Not matched rules: ad_can_login Not matched rules: local_admin_can_login [root@freeipa ~]# ipa hbactest --user* j...@kwttestdc.com.kw <j...@kwttestdc.com.kw>* --host client.kwttestdc.com.kw --service sshd -------------------- *Access granted: True* -------------------- Matched rules: test_admins Not matched rules: ad_can_login Not matched rules: local_admin_can_login so my hbac is working partially. How can i fix this. Regards, Ben On Fri, Apr 29, 2016 at 7:27 PM, Ben .T.George <bentech4...@gmail.com> wrote: > surprisingly i have created some local IPA users and added to same HBAC > rule, and removed AD grop ad applied this rule to client, and that got > worked. > > How can i make this AD group with HBAC working? > > Regards, > Ben > > On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George <bentech4...@gmail.com> > wrote: > >> HI >> >> If i disable allow_all <https://freeipa.idm.local/ipa/ui/#allow_all> rule, >> i cannot able to login to client machine. >> >> On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George <bentech4...@gmail.com> >> wrote: >> >>> HI >>> >>> actually i have added Domain Admins and the user ben is not part of >>> Domain Admins. But when i login to client machine, i am getting below >>> >>> -sh-4.2$ id >>> uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw) >>> groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain >>> us...@kwttestdc.com.kw <us...@kwttestdc.com.kw>*),1827801105(sudo >>> adm...@kwttestdc.com.kw) >>> >>> >>> >>> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George <bentech4...@gmail.com> >>> wrote: >>> >>>> HI >>>> >>>> while explaning here it went wrong. actually i did is" >>>> Added external group to POSIX group" >>>> >>>> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhro...@redhat.com> >>>> wrote: >>>> >>>>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: >>>>> > HI, >>>>> > >>>>> > "The other is that the groups might not show up on the client (do >>>>> they?)" >>>>> >>>>> id $user. >>>>> >>>>> But I think Alexander noticed the root cause. >>>>> >>>>> > >>>>> > how can i check that. >>>>> > >>>>> > Thanks >>>>> > Ben >>>>> > >>>>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhro...@redhat.com> >>>>> wrote: >>>>> > >>>>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: >>>>> > > > Hi List, >>>>> > > > >>>>> > > > I have working setup of one AD, one IPA server and one client >>>>> server. by >>>>> > > > default i can login to client server by using AD username. >>>>> > > > >>>>> > > > i want to apply HBAC rules against this client server. For that >>>>> i have >>>>> > > done >>>>> > > > below steps. >>>>> > > > >>>>> > > > 1. created External group in IPA erver >>>>> > > > 2. created local POSIX group n IPA server >>>>> > > > 3. Added AD group to external group >>>>> > > > 4. added POSIX group to external group. >>>>> > > > >>>>> > > > After that have created HBAC rule by adding both local and >>>>> external IPA >>>>> > > > groups, added sshd as service and selected service group as sudo. >>>>> > > > >>>>> > > > i have applied this HBAC rule to client server and from web UI >>>>> and while >>>>> > > > testing HBAC from web, i am getting access denied . >>>>> > > >>>>> > > Sorry, not enough info. >>>>> > > >>>>> > > One guess would be that you need to add the "sudo-i" service as >>>>> well. >>>>> > > The other is that the groups might not show up on the client (do >>>>> they?) >>>>> > > >>>>> > > Anyway, it might be good idea to follow >>>>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting >>>>> > > >>>>> > > -- >>>>> > > Manage your subscription for the Freeipa-users mailing list: >>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> > > Go to http://freeipa.org for more info on the project >>>>> > > >>>>> >>>> >>>> >>> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
