On Пан, 31 ліп 2023, Sameer Gurung via FreeIPA-users wrote:
On Sun, Jul 30, 2023 at 10:20 PM Ronald Wimmer via FreeIPA-users <
[email protected]> wrote:
The referenced thread is about merging local and IPA groups. Not
explicitly about the direction.
Cheers,
Ronald
I dont quite follow. I have added a docker group to freeipa with the
--external option. Then added my AD user to this group.. this works fine.
However at the client group merging does not take place. the AD user is not
added to the local docker group of the client
You are using it wrong way.
'external' group in IPA is not a POSIX group. It is supposed to be
included into a POSIX group and then SSSD on the client system will pull
all external references from 'external' group when building up a
membership of the POSIX group. That's why the documentation talks about
two-group buildup:
- create an 'external' group and add AD objects as members of it
- create a POSIX group and add the 'external' group as a member
Group merging feature in glibc works only for POSIX groups because these
are the only groups that exist in POSIX environment where glibc
operates. Unless an AD user is pulled into the POSIX group, the group
cannot see the AD user as a member.
So you should create a 'docker-external' 'external' group and add users
there. Then create a 'docker' group in IPA and add 'docker-external'
group as a member there. Then, upon login to a system governed by SSSD
this 'docker' group membership will be filled in by SSSD for the AD user
and glibc will handle group merging on top of that.
On 30.07.23 17:54, Sameer Gurung via FreeIPA-users wrote:
> I have followed the link you sent and managed to add users to the local
> docker group when the users are in FreeIPA. However in my case they are
> AD users logging in to linux clients through the IPA AD trust
>
> *Sameer Kr. Gurung*
>
> On Sun, Jul 30, 2023 at 6:07 PM Ronald Wimmer via FreeIPA-users
> <[email protected]
> <mailto:[email protected]>> wrote:
>
> Have a look at
>
https://lists.fedorahosted.org/archives/list/[email protected]/thread/WR7JQOMWCEXNABNSZGFF2FYN6ENEHEIB/#BBVO35ZP4YFI7C27NASZLYWRWDFY6DRH
<
https://lists.fedorahosted.org/archives/list/[email protected]/thread/WR7JQOMWCEXNABNSZGFF2FYN6ENEHEIB/#BBVO35ZP4YFI7C27NASZLYWRWDFY6DRH
>
>
>
> Am 30. Juli 2023 11:17:37 MESZ schrieb Sameer Gurung via
> FreeIPA-users <[email protected]
> <mailto:[email protected]>>:
>
> I have integrated freeipa with AD via a two way trust. However I
> now have a problem
>
> How do I add my AD users logging in to linux clients to the
> local machines
> docker group so that they can run docker.
> Any help would be appreciated.
> Thanks everyone!
>
> Sameer K Gurung
>
>
> This message contains confidential information and is intended
> only for the individual named. If you are not the named
> addressee you should not disseminate, distribute or copy this
> e-mail. Please notify the sender immediately by e-mail if you
> have received this e-mail by mistake and delete this e-mail from
> your system. E-mail transmission cannot be guaranteed to be
> secure or error-free as information could be intercepted,
> corrupted, lost, destroyed, arrive late or incomplete, or
> contain viruses. The sender therefore does not accept liability
> for any errors or omissions in the contents of this message,
> which arise as a result of e-mail transmission. If verification
> is required please request a hard-copy version.
> Saint Mary's College, Shillong, Meghalaya, India-793003,
> smcs.ac.in <http://smcs.ac.in>
>
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> <mailto:[email protected]>
> To unsubscribe send an email to
> [email protected]
> <mailto:[email protected]>
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> <https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> <https://fedoraproject.org/wiki/Mailing_list_guidelines>
> List Archives:
>
https://lists.fedorahosted.org/archives/list/[email protected]
<
https://lists.fedorahosted.org/archives/list/[email protected]
>
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
> <https://pagure.io/fedora-infrastructure/new_issue>
>
>
> This message contains confidential information and is intended only for
> the individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify the sender
> immediately by e-mail if you have received this e-mail by mistake and
> delete this e-mail from your system. E-mail transmission cannot be
> guaranteed to be secure or error-free as information could be
> intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
> contain viruses. The sender therefore does not accept liability for any
> errors or omissions in the contents of this message, which arise as a
> result of e-mail transmission. If verification is required please
> request a hard-copy version.
> Saint Mary's College, Shillong, Meghalaya, India-793003,
> smcs.ac.in <http://smcs.ac.in>
>
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to
[email protected]
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
Ronald Wimmer
Zachgasse 12/Haus 7
1220 Wien
Tel: +43 680 149 37 99
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be intercepted,
corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
The sender therefore does not accept liability for any errors or omissions
in the contents of this message, which arise as a result of e-mail
transmission. If verification is required please request a hard-copy
version. Saint Mary's College, Shillong, Meghalaya, India-793003,
smcs.ac.in <http://smcs.ac.in>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
