On 12 October 2016 at 15:23, Robert Sturrock <r...@unimelb.edu.au> wrote:
> Hi All. > > We’re attempting to setup an IPA (4.2) service on RHEL7.2 to provide > better connectivity to our (large) organisational AD service for Linux > clients. > > We have setup IPA and configured a suitable AD trust (with SID POSIX > mapping) in the hope that users will be able to access IPA resources > (hosts, storage) using existing AD credentials and groups. This working > fine - we can login to Linux hosts using AD credentials and see the AD > groups. > > However, it would appear that in order to use AD group membership as the > basis for Linux HBAC or sudo, we need to firstly _map_ the AD groups to an > equivalent IPA (POSIX) group? Is this correct? > > I can see that it’s possible to define ‘external’ *users* (not groups) in > some cases, but this function appears to be deprecated. > > We have large numbers of groups in our AD (~50k), so obviously that’s a > lot of mapping! > > Hi Rob, It should work with groups no problems. We found a few issues with sssd <1.14. To get the up to date sssd for the hosts, the best bet is the COPR repos https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-14/ As for groups working with HBAC, it should work no problems. Yes to mapping though. Here is the process: 1. Create an external group for your AD users/groups 2. Add AD group name to that external group (this AD group's existence will be confirmed by IPA->AD trust or command will fail) 3. Create POSIX group 4. add group created in step 1 to group created in step 3 And here are some example commands to do that, as we executed them here, in the same order: ipa group-add --desc="petermac.org.au external map" ad_users_external --external ipa group-add-member ad_external --external 'PMCI\Bioinf-Cluster' ipa group-add --desc="petermac.org.au AD users" ad_users ipa group-add-member ad_users --groups ad_users_external Let me know how you go L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project