subject:"\[Freeipa\-users\] HBAC with Active directory group is not working"

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-30 Thread Ben .T.George

and here is my sssd debug log from client side

http://pastebin.com/ud2q3FR5

On Sat, Apr 30, 2016 at 10:06 AM, Ben .T.George 
wrote:

> Hi
>
> Adding this this.
>
> in AD i habe added 2 users , ben and jude. In my HBAC rule, i pointed this
> specific external group and (were these users)
>
> but while checking the rule from IPA server using hbactest, both users
> test passes and showing one rol. but in actual only ben can able to login
> to client machine , while jude cannot.
>
> [root@freeipa ~]# ipa hbactest --user *b...@kwttestdc.com.kw
> * --host client.kwttestdc.com.kw --service sshd
> 
> *Access granted: True*
> 
>   Matched rules: test_admins
>   Not matched rules: ad_can_login
>   Not matched rules: local_admin_can_login
> [root@freeipa ~]# ipa hbactest --user* j...@kwttestdc.com.kw
> * --host client.kwttestdc.com.kw --service sshd
> 
> *Access granted: True*
> 
>   Matched rules: test_admins
>   Not matched rules: ad_can_login
>   Not matched rules: local_admin_can_login
>
> so my hbac is working partially. How can i fix this.
>
> Regards,
> Ben
>
> On Fri, Apr 29, 2016 at 7:27 PM, Ben .T.George 
> wrote:
>
>> surprisingly i have created some local IPA users and added to same HBAC
>> rule, and removed AD grop ad applied this rule to client, and that got
>> worked.
>>
>> How can i make this AD group with HBAC working?
>>
>> Regards,
>> Ben
>>
>> On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George 
>> wrote:
>>
>>> HI
>>>
>>> If i disable allow_all  rule,
>>> i cannot able to login to client machine.
>>>
>>> On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George 
>>> wrote:
>>>
 HI

 actually i have added Domain Admins and the user ben is not part of
 Domain Admins. But when i login to client machine, i am getting below

 -sh-4.2$ id
 uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(
 b...@kwttestdc.com.kw) groups=1827801104(b...@kwttestdc.com.kw
 ),1827800513(*domain us...@kwttestdc.com.kw 
 *),1827801105(sudo
 adm...@kwttestdc.com.kw)



 On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George 
 wrote:

> HI
>
> while explaning here it went wrong. actually i did is"
> Added external group to POSIX group"
>
> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek 
> wrote:
>
>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
>> > HI,
>> >
>> > "The other is that the groups might not show up on the client (do
>> they?)"
>>
>> id $user.
>>
>> But I think Alexander noticed the root cause.
>>
>> >
>> > how can i check that.
>> >
>> > Thanks
>> > Ben
>> >
>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek 
>> wrote:
>> >
>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
>> > > > Hi List,
>> > > >
>> > > > I have working setup of one AD, one IPA server and one client
>> server. by
>> > > > default i can login to client server by using AD username.
>> > > >
>> > > > i want to apply HBAC rules against this client server. For that
>> i have
>> > > done
>> > > > below steps.
>> > > >
>> > > > 1. created External group in IPA erver
>> > > > 2. created local POSIX group n IPA server
>> > > > 3. Added AD group to external group
>> > > > 4. added POSIX group to external group.
>> > > >
>> > > > After that  have created HBAC rule by adding both local and
>> external IPA
>> > > > groups, added sshd as service and selected service group as
>> sudo.
>> > > >
>> > > > i have applied this HBAC rule to client server and from web UI
>> and while
>> > > > testing HBAC from web, i am getting access denied .
>> > >
>> > > Sorry, not enough info.
>> > >
>> > > One guess would be that you need to add the "sudo-i" service as
>> well.
>> > > The other is that the groups might not show up on the client (do
>> they?)
>> > >
>> > > Anyway, it might be good idea to follow
>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting
>> > >
>> > > --
>> > > Manage your subscription for the Freeipa-users mailing list:
>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > > Go to http://freeipa.org for more info on the project
>> > >
>>
>
>

>>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-30 Thread Ben .T.George

Hi

Adding this this.

in AD i habe added 2 users , ben and jude. In my HBAC rule, i pointed this
specific external group and (were these users)

but while checking the rule from IPA server using hbactest, both users test
passes and showing one rol. but in actual only ben can able to login to
client machine , while jude cannot.

[root@freeipa ~]# ipa hbactest --user *b...@kwttestdc.com.kw
* --host client.kwttestdc.com.kw --service sshd

*Access granted: True*

  Matched rules: test_admins
  Not matched rules: ad_can_login
  Not matched rules: local_admin_can_login
[root@freeipa ~]# ipa hbactest --user* j...@kwttestdc.com.kw
* --host client.kwttestdc.com.kw --service sshd

*Access granted: True*

  Matched rules: test_admins
  Not matched rules: ad_can_login
  Not matched rules: local_admin_can_login

so my hbac is working partially. How can i fix this.

Regards,
Ben

On Fri, Apr 29, 2016 at 7:27 PM, Ben .T.George 
wrote:

> surprisingly i have created some local IPA users and added to same HBAC
> rule, and removed AD grop ad applied this rule to client, and that got
> worked.
>
> How can i make this AD group with HBAC working?
>
> Regards,
> Ben
>
> On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George 
> wrote:
>
>> HI
>>
>> If i disable allow_all  rule,
>> i cannot able to login to client machine.
>>
>> On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George 
>> wrote:
>>
>>> HI
>>>
>>> actually i have added Domain Admins and the user ben is not part of
>>> Domain Admins. But when i login to client machine, i am getting below
>>>
>>> -sh-4.2$ id
>>> uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw)
>>> groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain
>>> us...@kwttestdc.com.kw *),1827801105(sudo
>>> adm...@kwttestdc.com.kw)
>>>
>>>
>>>
>>> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George 
>>> wrote:
>>>
 HI

 while explaning here it went wrong. actually i did is"
 Added external group to POSIX group"

 On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek 
 wrote:

> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
> > HI,
> >
> > "The other is that the groups might not show up on the client (do
> they?)"
>
> id $user.
>
> But I think Alexander noticed the root cause.
>
> >
> > how can i check that.
> >
> > Thanks
> > Ben
> >
> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek 
> wrote:
> >
> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
> > > > Hi List,
> > > >
> > > > I have working setup of one AD, one IPA server and one client
> server. by
> > > > default i can login to client server by using AD username.
> > > >
> > > > i want to apply HBAC rules against this client server. For that
> i have
> > > done
> > > > below steps.
> > > >
> > > > 1. created External group in IPA erver
> > > > 2. created local POSIX group n IPA server
> > > > 3. Added AD group to external group
> > > > 4. added POSIX group to external group.
> > > >
> > > > After that  have created HBAC rule by adding both local and
> external IPA
> > > > groups, added sshd as service and selected service group as sudo.
> > > >
> > > > i have applied this HBAC rule to client server and from web UI
> and while
> > > > testing HBAC from web, i am getting access denied .
> > >
> > > Sorry, not enough info.
> > >
> > > One guess would be that you need to add the "sudo-i" service as
> well.
> > > The other is that the groups might not show up on the client (do
> they?)
> > >
> > > Anyway, it might be good idea to follow
> > > https://fedorahosted.org/sssd/wiki/Troubleshooting
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> > >
>


>>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George

surprisingly i have created some local IPA users and added to same HBAC
rule, and removed AD grop ad applied this rule to client, and that got
worked.

How can i make this AD group with HBAC working?

Regards,
Ben

On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George 
wrote:

> HI
>
> If i disable allow_all  rule,
> i cannot able to login to client machine.
>
> On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George 
> wrote:
>
>> HI
>>
>> actually i have added Domain Admins and the user ben is not part of
>> Domain Admins. But when i login to client machine, i am getting below
>>
>> -sh-4.2$ id
>> uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw)
>> groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain
>> us...@kwttestdc.com.kw *),1827801105(sudo
>> adm...@kwttestdc.com.kw)
>>
>>
>>
>> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George 
>> wrote:
>>
>>> HI
>>>
>>> while explaning here it went wrong. actually i did is"
>>> Added external group to POSIX group"
>>>
>>> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek 
>>> wrote:
>>>
 On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
 > HI,
 >
 > "The other is that the groups might not show up on the client (do
 they?)"

 id $user.

 But I think Alexander noticed the root cause.

 >
 > how can i check that.
 >
 > Thanks
 > Ben
 >
 > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek 
 wrote:
 >
 > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
 > > > Hi List,
 > > >
 > > > I have working setup of one AD, one IPA server and one client
 server. by
 > > > default i can login to client server by using AD username.
 > > >
 > > > i want to apply HBAC rules against this client server. For that i
 have
 > > done
 > > > below steps.
 > > >
 > > > 1. created External group in IPA erver
 > > > 2. created local POSIX group n IPA server
 > > > 3. Added AD group to external group
 > > > 4. added POSIX group to external group.
 > > >
 > > > After that  have created HBAC rule by adding both local and
 external IPA
 > > > groups, added sshd as service and selected service group as sudo.
 > > >
 > > > i have applied this HBAC rule to client server and from web UI
 and while
 > > > testing HBAC from web, i am getting access denied .
 > >
 > > Sorry, not enough info.
 > >
 > > One guess would be that you need to add the "sudo-i" service as
 well.
 > > The other is that the groups might not show up on the client (do
 they?)
 > >
 > > Anyway, it might be good idea to follow
 > > https://fedorahosted.org/sssd/wiki/Troubleshooting
 > >
 > > --
 > > Manage your subscription for the Freeipa-users mailing list:
 > > https://www.redhat.com/mailman/listinfo/freeipa-users
 > > Go to http://freeipa.org for more info on the project
 > >

>>>
>>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George

HI

If i disable allow_all  rule,
i cannot able to login to client machine.

On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George 
wrote:

> HI
>
> actually i have added Domain Admins and the user ben is not part of Domain
> Admins. But when i login to client machine, i am getting below
>
> -sh-4.2$ id
> uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw)
> groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain
> us...@kwttestdc.com.kw *),1827801105(sudo
> adm...@kwttestdc.com.kw)
>
>
>
> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George 
> wrote:
>
>> HI
>>
>> while explaning here it went wrong. actually i did is"
>> Added external group to POSIX group"
>>
>> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek  wrote:
>>
>>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
>>> > HI,
>>> >
>>> > "The other is that the groups might not show up on the client (do
>>> they?)"
>>>
>>> id $user.
>>>
>>> But I think Alexander noticed the root cause.
>>>
>>> >
>>> > how can i check that.
>>> >
>>> > Thanks
>>> > Ben
>>> >
>>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek 
>>> wrote:
>>> >
>>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
>>> > > > Hi List,
>>> > > >
>>> > > > I have working setup of one AD, one IPA server and one client
>>> server. by
>>> > > > default i can login to client server by using AD username.
>>> > > >
>>> > > > i want to apply HBAC rules against this client server. For that i
>>> have
>>> > > done
>>> > > > below steps.
>>> > > >
>>> > > > 1. created External group in IPA erver
>>> > > > 2. created local POSIX group n IPA server
>>> > > > 3. Added AD group to external group
>>> > > > 4. added POSIX group to external group.
>>> > > >
>>> > > > After that  have created HBAC rule by adding both local and
>>> external IPA
>>> > > > groups, added sshd as service and selected service group as sudo.
>>> > > >
>>> > > > i have applied this HBAC rule to client server and from web UI and
>>> while
>>> > > > testing HBAC from web, i am getting access denied .
>>> > >
>>> > > Sorry, not enough info.
>>> > >
>>> > > One guess would be that you need to add the "sudo-i" service as well.
>>> > > The other is that the groups might not show up on the client (do
>>> they?)
>>> > >
>>> > > Anyway, it might be good idea to follow
>>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting
>>> > >
>>> > > --
>>> > > Manage your subscription for the Freeipa-users mailing list:
>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>>> > > Go to http://freeipa.org for more info on the project
>>> > >
>>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George

HI

actually i have added Domain Admins and the user ben is not part of Domain
Admins. But when i login to client machine, i am getting below

-sh-4.2$ id
uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw)
groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain
us...@kwttestdc.com.kw *),1827801105(sudo
adm...@kwttestdc.com.kw)



On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George 
wrote:

> HI
>
> while explaning here it went wrong. actually i did is"
> Added external group to POSIX group"
>
> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek  wrote:
>
>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
>> > HI,
>> >
>> > "The other is that the groups might not show up on the client (do
>> they?)"
>>
>> id $user.
>>
>> But I think Alexander noticed the root cause.
>>
>> >
>> > how can i check that.
>> >
>> > Thanks
>> > Ben
>> >
>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek 
>> wrote:
>> >
>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
>> > > > Hi List,
>> > > >
>> > > > I have working setup of one AD, one IPA server and one client
>> server. by
>> > > > default i can login to client server by using AD username.
>> > > >
>> > > > i want to apply HBAC rules against this client server. For that i
>> have
>> > > done
>> > > > below steps.
>> > > >
>> > > > 1. created External group in IPA erver
>> > > > 2. created local POSIX group n IPA server
>> > > > 3. Added AD group to external group
>> > > > 4. added POSIX group to external group.
>> > > >
>> > > > After that  have created HBAC rule by adding both local and
>> external IPA
>> > > > groups, added sshd as service and selected service group as sudo.
>> > > >
>> > > > i have applied this HBAC rule to client server and from web UI and
>> while
>> > > > testing HBAC from web, i am getting access denied .
>> > >
>> > > Sorry, not enough info.
>> > >
>> > > One guess would be that you need to add the "sudo-i" service as well.
>> > > The other is that the groups might not show up on the client (do
>> they?)
>> > >
>> > > Anyway, it might be good idea to follow
>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting
>> > >
>> > > --
>> > > Manage your subscription for the Freeipa-users mailing list:
>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > > Go to http://freeipa.org for more info on the project
>> > >
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George

HI

while explaning here it went wrong. actually i did is"
Added external group to POSIX group"

On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek  wrote:

> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
> > HI,
> >
> > "The other is that the groups might not show up on the client (do they?)"
>
> id $user.
>
> But I think Alexander noticed the root cause.
>
> >
> > how can i check that.
> >
> > Thanks
> > Ben
> >
> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek 
> wrote:
> >
> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
> > > > Hi List,
> > > >
> > > > I have working setup of one AD, one IPA server and one client
> server. by
> > > > default i can login to client server by using AD username.
> > > >
> > > > i want to apply HBAC rules against this client server. For that i
> have
> > > done
> > > > below steps.
> > > >
> > > > 1. created External group in IPA erver
> > > > 2. created local POSIX group n IPA server
> > > > 3. Added AD group to external group
> > > > 4. added POSIX group to external group.
> > > >
> > > > After that  have created HBAC rule by adding both local and external
> IPA
> > > > groups, added sshd as service and selected service group as sudo.
> > > >
> > > > i have applied this HBAC rule to client server and from web UI and
> while
> > > > testing HBAC from web, i am getting access denied .
> > >
> > > Sorry, not enough info.
> > >
> > > One guess would be that you need to add the "sudo-i" service as well.
> > > The other is that the groups might not show up on the client (do they?)
> > >
> > > Anyway, it might be good idea to follow
> > > https://fedorahosted.org/sssd/wiki/Troubleshooting
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> > >
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Jakub Hrozek

On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
> HI,
> 
> "The other is that the groups might not show up on the client (do they?)"

id $user.

But I think Alexander noticed the root cause.

> 
> how can i check that.
> 
> Thanks
> Ben
> 
> On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek  wrote:
> 
> > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
> > > Hi List,
> > >
> > > I have working setup of one AD, one IPA server and one client server. by
> > > default i can login to client server by using AD username.
> > >
> > > i want to apply HBAC rules against this client server. For that i have
> > done
> > > below steps.
> > >
> > > 1. created External group in IPA erver
> > > 2. created local POSIX group n IPA server
> > > 3. Added AD group to external group
> > > 4. added POSIX group to external group.
> > >
> > > After that  have created HBAC rule by adding both local and external IPA
> > > groups, added sshd as service and selected service group as sudo.
> > >
> > > i have applied this HBAC rule to client server and from web UI and while
> > > testing HBAC from web, i am getting access denied .
> >
> > Sorry, not enough info.
> >
> > One guess would be that you need to add the "sudo-i" service as well.
> > The other is that the groups might not show up on the client (do they?)
> >
> > Anyway, it might be good idea to follow
> > https://fedorahosted.org/sssd/wiki/Troubleshooting
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George

Hi

I have created 2 fresh users now and i was running below,

[root@freeipa log]# ipa hbactest --user "KWTTESTDC\jude" --host `hostname`
--service sshd
ipa: ERROR: trusted domain user not found
[root@freeipa log]# ipa hbactest --user "KWTTESTDC\muneer" --host
`hostname` --service sshd
ipa: ERROR: trusted domain user not found

but i can able to test with old users,

[root@freeipa log]# ipa hbactest --user "KWTTESTDC\Administrator" --host
`hostname` --service sshd

Access granted: True

  Matched rules: allow_all
  Not matched rules: ad_can_login
  Not matched rules: local_admin_can_login
[root@freeipa log]# ipa hbactest --user "KWTTESTDC\ben" --host `hostname`
--service sshd

Access granted: True

  Matched rules: ad_can_login
  Matched rules: allow_all
  Not matched rules: local_admin_can_login


Is there any sync time for trust.?

when i was trying ipa trust-fetch-domains, i am getting below

[root@freeipa log]# ipa trust-fetch-domains "kwttestdc.com.kw"
ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from
trusted forest failed. See details in the error_log

Thanks & Regards,
Ben

On Fri, Apr 29, 2016 at 6:33 PM, Ben .T.George 
wrote:

> Hi Alex,
>
> yea my mistake.
>
> i was following u this
>
>
> http://www.freeipa.org/page/Active_Directory_trust_setup#Allow_access_for_users_from_AD_domain_to_protected_resources
>
>
>
> On Fri, Apr 29, 2016 at 6:03 PM, Alexander Bokovoy 
> wrote:
>
>> On Fri, 29 Apr 2016, Ben .T.George wrote:
>>
>>> Hi List,
>>>
>>> I have working setup of one AD, one IPA server and one client server. by
>>> default i can login to client server by using AD username.
>>>
>>> i want to apply HBAC rules against this client server. For that i have
>>> done
>>> below steps.
>>>
>>> 1. created External group in IPA erver
>>> 2. created local POSIX group n IPA server
>>> 3. Added AD group to external group
>>> 4. added POSIX group to external group.
>>>
>> You should have added external group to POSIX group, not the other way
>> around.
>>
>> --
>> / Alexander Bokovoy
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George

Hi Alex,

yea my mistake.

i was following u this

http://www.freeipa.org/page/Active_Directory_trust_setup#Allow_access_for_users_from_AD_domain_to_protected_resources



On Fri, Apr 29, 2016 at 6:03 PM, Alexander Bokovoy 
wrote:

> On Fri, 29 Apr 2016, Ben .T.George wrote:
>
>> Hi List,
>>
>> I have working setup of one AD, one IPA server and one client server. by
>> default i can login to client server by using AD username.
>>
>> i want to apply HBAC rules against this client server. For that i have
>> done
>> below steps.
>>
>> 1. created External group in IPA erver
>> 2. created local POSIX group n IPA server
>> 3. Added AD group to external group
>> 4. added POSIX group to external group.
>>
> You should have added external group to POSIX group, not the other way
> around.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George

HI,

"The other is that the groups might not show up on the client (do they?)"

how can i check that.

Thanks
Ben

On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek  wrote:

> On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
> > Hi List,
> >
> > I have working setup of one AD, one IPA server and one client server. by
> > default i can login to client server by using AD username.
> >
> > i want to apply HBAC rules against this client server. For that i have
> done
> > below steps.
> >
> > 1. created External group in IPA erver
> > 2. created local POSIX group n IPA server
> > 3. Added AD group to external group
> > 4. added POSIX group to external group.
> >
> > After that  have created HBAC rule by adding both local and external IPA
> > groups, added sshd as service and selected service group as sudo.
> >
> > i have applied this HBAC rule to client server and from web UI and while
> > testing HBAC from web, i am getting access denied .
>
> Sorry, not enough info.
>
> One guess would be that you need to add the "sudo-i" service as well.
> The other is that the groups might not show up on the client (do they?)
>
> Anyway, it might be good idea to follow
> https://fedorahosted.org/sssd/wiki/Troubleshooting
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Alexander Bokovoy


On Fri, 29 Apr 2016, Ben .T.George wrote:

Hi List,

I have working setup of one AD, one IPA server and one client server. by
default i can login to client server by using AD username.

i want to apply HBAC rules against this client server. For that i have done
below steps.

1. created External group in IPA erver
2. created local POSIX group n IPA server
3. Added AD group to external group
4. added POSIX group to external group.

You should have added external group to POSIX group, not the other way
around.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Jakub Hrozek

On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
> Hi List,
> 
> I have working setup of one AD, one IPA server and one client server. by
> default i can login to client server by using AD username.
> 
> i want to apply HBAC rules against this client server. For that i have done
> below steps.
> 
> 1. created External group in IPA erver
> 2. created local POSIX group n IPA server
> 3. Added AD group to external group
> 4. added POSIX group to external group.
> 
> After that  have created HBAC rule by adding both local and external IPA
> groups, added sshd as service and selected service group as sudo.
> 
> i have applied this HBAC rule to client server and from web UI and while
> testing HBAC from web, i am getting access denied .

Sorry, not enough info.

One guess would be that you need to add the "sudo-i" service as well.
The other is that the groups might not show up on the client (do they?)

Anyway, it might be good idea to follow
https://fedorahosted.org/sssd/wiki/Troubleshooting

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George

Hi List,

I have working setup of one AD, one IPA server and one client server. by
default i can login to client server by using AD username.

i want to apply HBAC rules against this client server. For that i have done
below steps.

1. created External group in IPA erver
2. created local POSIX group n IPA server
3. Added AD group to external group
4. added POSIX group to external group.

After that  have created HBAC rule by adding both local and external IPA
groups, added sshd as service and selected service group as sudo.

i have applied this HBAC rule to client server and from web UI and while
testing HBAC from web, i am getting access denied .

How can i implement HBAC with Active directory user group.

Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC with Active directory group is not working

Re: [Freeipa-users] HBAC with Active directory group is not working

Re: [Freeipa-users] HBAC with Active directory group is not working

Re: [Freeipa-users] HBAC with Active directory group is not working

Re: [Freeipa-users] HBAC with Active directory group is not working

Re: [Freeipa-users] HBAC with Active directory group is not working

Re: [Freeipa-users] HBAC with Active directory group is not working

Re: [Freeipa-users] HBAC with Active directory group is not working

Re: [Freeipa-users] HBAC with Active directory group is not working

Re: [Freeipa-users] HBAC with Active directory group is not working

Re: [Freeipa-users] HBAC with Active directory group is not working

Re: [Freeipa-users] HBAC with Active directory group is not working

[Freeipa-users] HBAC with Active directory group is not working

13 matches

Site Navigation

Mail list logo

Footer information