I have a fresh IPA server setup with a trust to an Active Directory. Alls IPA services are working fine, IPA users can connect to IPA client hosts without problems.
I now have added an AD user via creating an ID override in the default trust view and added an ssh key for the user. I made the user a member of an IPA group which has access to the IPA client host (verified via IPA user which is a member of this group). I did this by --idoverrideusers= as --external= seems to be gone.
The AD user can't connect, not even that the ssh key is not working also the password does not work.
Running the HBAC test in the web UI gives an ACCESS DENIED for the AD user and an ACCESS GRANTED for the IPA user.
I also can see that a sssctl user-checks gives me a pam_acct_mgmt: Permission denied while for the IPA user it brings up pam_acct_mgmt: Success
The command id aduser@example.com lists the AD groups but I can't see the IPA group there.
Any hints will be greatly appreciated, thank you.
Best regards,
Thomas
Am Fri, Mar 17, 2023 at 02:21:33PM -0000 schrieb None via FreeIPA-users:
I have a fresh IPA server setup with a trust to an Active Directory. Alls IPA services are working fine, IPA users can connect to IPA client hosts without problems.
I now have added an AD user via creating an ID override in the default trust view and added an ssh key for the user. I made the user a member of an IPA group which has access to the IPA client host (verified via IPA user which is a member of this group). I did this by --idoverrideusers= as --external= seems to be gone.
Hi,
you cannot add the AD user directly to an IPA POSIX group, you should create an external group (ipa group-add --external ....), add this group as a member of the HABC POSIX group and add the AD users as an external member.
HTH
bye, Sumit
The AD user can't connect, not even that the ssh key is not working also the password does not work.
Running the HBAC test in the web UI gives an ACCESS DENIED for the AD user and an ACCESS GRANTED for the IPA user.
I also can see that a sssctl user-checks gives me a pam_acct_mgmt: Permission denied while for the IPA user it brings up pam_acct_mgmt: Success
The command id aduser@example.com lists the AD groups but I can't see the IPA group there.
Any hints will be greatly appreciated, thank you.
Best regards,
Thomas _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi Sumit,
thank you, this solved it!
I had added the user to the "User ID overrides" instead of the External for some reason and did not realize this.
Wish you a great week.
Best regards,
Thomas
freeipa-users@lists.fedorahosted.org
-
cdth@gmx.net -
Sumit Bose