Hi - I have an IPA setup (4.6.6) with a trust to AD servers. The users can login to the servers via ssh and everything is allowed via HBAC groups. I have some users that are admins so I created an all-servers access group.
But when I issue the "id" or "groups" command, users are reported being member of groups they don't belong to, for example: User id094844 (an external user in AD), is reported member of: [root@el6983 ~]# id id094844 | tr ',' '\n' | grep acc 1856201464([email protected]) 1856233001([email protected]) 1856230575([email protected]) 1856231052([email protected]) [...] But if I check the group membership of acc-el2740-hbac-usergroup (my POSIX group): [root@el6983 ~]# ipa group-show acc-el2740-hbac-usergroup Group name: acc-el2740-hbac-usergroup GID: 1856230575 Member users: id999026 Member groups: acc-el2740-hbac-usergroup-ext, ai-it_rpa_accesses, cmos, is-storage_backup_bo, is-storage_backup_fo Member of HBAC rule: acc-el2740-hbac Indirect Member users: abiaload, abidload Indirect Member groups: ai-it_rpa_accesses-extgrp, is-storage_backup_fo-extgrp, is-storage_backup_bo-extgrp, cmos- extgrp # Checking my external group: [root@el6983 ~]# ipa group-show acc-el2740-hbac-usergroup-ext Group name: acc-el2740-hbac-usergroup-ext Member of groups: acc-el2740-hbac-usergroup Indirect Member of HBAC rule: acc-el2740-hbac And id094844 isn't member of any groups nested in acc-el2740-hbac-usergroup As we have a lot of servers, I'm afraid that we'll get a lot of membership once our migration is over... Any way to fix this? Thanks! Sébastien Toulmonde Linux Engineering | ITS Linux CC [Proximus]<http://www.proximus.be/> Connect with us on: [Proximus Facebook]<https://www.facebook.com/proximusBe> [Proximus Twitter] <https://twitter.com/proximus> [Proximus YouTube] <https://www.youtube.com/proximus> [Proximus LinkedIn] <https://www.linkedin.com/company/proximus> Sensitivity: Internal Use Only This e-mail cannot be used for other purposes than Proximus business use. See more on https://www.proximus.be/maildisclaimer
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
