Hi Folks, I'm sure there's a simple fix for this but I haven't found it.
I have a trust configured between an AD server and my freeipa server that appears working. If I enable the "allow all" Policy I can login as one of my AD users. If I immediately disable the "allow_all" policy, that is seen immediately on my client and AD users are blocked. I have a HBAC rule (ad_can_login) that I'm applying to a freeipa client system. This rule contains two posix groups: guest_users <-- for users I configure on my freeipa server ad_users <-- for users that are on my AD server If I enable/disable the HBAC rule called "ad_can_login" I see an immediate response on my free-ipa client system -- either allowing my local and AD users access or blocking them. My ad_users group is a posix group that contains and external group called "ad_users_ext". This group contains a list of a couple AD user accounts that have bee added by going under the "External" option and then clicking the "+Add" button. These users were add as <username>@test.domain.com. If I add users from this external group, they are ***sometimes*** immediately seen on my client in this group when I use the id command. I can then login as the AD user. Other times I have to refresh the cache ( sss_cache -U) to have the system see the user. Almost always when I remove the user from the ad_users_ext group, I have to refresh the cache before the client system will block logins. I've been experimenting with options in the sssd.conf file to force the cache to respond more quickly but nothing has helped. From my reading, I don't have to have a separate entry in my sssd.conf file to cover the AD users but I could be wrong. My sssd.conf file on the client looks like: [domain/example.domain.com] id_provider = ipa ipa_server = _srv_, freeipa.example.domain.com ipa_domain = boulder.swri.edu ipa_hostname = ldap-client1.example.domain.com auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline = True override_homedir = /home/%u [sssd] services = nss, pam, ssh, sudo domains = example.domain.com [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] [session_recording] This is just the basic config put into place with the ipa-client install. I suppose I don't understand why toggling the HBAC rule on/off gets an immediate response for user login access on the client, but adding/removing users from the ad_user_ext group (which is a subgroup of the posix group ad_users) which is part of the HBAC rule sometimes needs a cache refresh to move things along. Apologies if I'm missing the obvious. Any pointers in the right direction would be greatly appreciated. As always, thanks for your time. -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
