> -----Original Message----- > From: [email protected] [mailto:freeipa-users- > [email protected]] On Behalf Of Jakub Hrozek > Sent: Thursday, May 14, 2015 11:46 AM > To: [email protected] > Subject: Re: [Freeipa-users] trusted user groups > > On Thu, May 14, 2015 at 03:33:28PM +0000, Andy Thompson wrote: > > I've noticed that trusted users supplementary ad groups don't show up > until after the users login to the box at least once. > > That's expected with the versions you're running. Prior to 6.7, we could only > read the trusted users' group membership from the PAC blob attached to > the Kerberos ticket. > > > > Is there a chance that information will be dropped again at any point going > forward? > > No, otherwise it's a bug. > > > > > The reason I ask is that on our sftp boxes we chroot users based on > > group membership. I set that up as an external group in freeIPA and > > the first time the user logs in to the sftp box, they are dropped in > > their normal home directory as opposed to the chroot environment. If > > there is a chance the group membership will not show up correctly > > again in the future, I'm inclined to change the chroot stanzas to match on > user as opposed to group. > > > > Is that by design? > > If you can't see the correct group memberships after a login, then something > is fishy. However, we're rebasing to sssd 1.12.x in 6.7 and there's so many > fixes and enhancements in this area..is there a chance you could try out 6.7 > beta or some custom packages? >
Group memberships show up fine after the first login so it is working as expected then. The accounts are very controlled so it shouldn't be a huge sticking point. I could try out some custom packages on this box but I can't move to 6.7 until we upgrade the entire environment. Thanks much -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
