> -----Original Message----- > From: Lukas Slebodnik [mailto:[email protected]] > Sent: Monday, May 18, 2015 10:33 AM > To: Andy Thompson > Cc: [email protected] > Subject: Re: [Freeipa-users] trusted user groups > > On (18/05/15 13:55), Andy Thompson wrote: > >> -----Original Message----- > >> From: Lukas Slebodnik [mailto:[email protected]] > >> Sent: Thursday, May 14, 2015 4:41 PM > >> To: Andy Thompson > >> Cc: [email protected] > >> Subject: Re: [Freeipa-users] trusted user groups > >> > >> On (14/05/15 15:53), Andy Thompson wrote: > >> >> -----Original Message----- > >> >> From: [email protected] [mailto:freeipa-users- > >> >> [email protected]] On Behalf Of Jakub Hrozek > >> >> Sent: Thursday, May 14, 2015 11:46 AM > >> >> To: [email protected] > >> >> Subject: Re: [Freeipa-users] trusted user groups > >> >> > >> >> On Thu, May 14, 2015 at 03:33:28PM +0000, Andy Thompson wrote: > >> >> > I've noticed that trusted users supplementary ad groups don't > >> >> > show up > >> >> until after the users login to the box at least once. > >> >> > >> >> That's expected with the versions you're running. Prior to 6.7, we > >> >> could only read the trusted users' group membership from the PAC > >> >> blob attached to the Kerberos ticket. > >> >> > >> >> > >> >> > Is there a chance that information will be dropped again at any > >> >> > point going > >> >> forward? > >> >> > >> >> No, otherwise it's a bug. > >> >> > >> >> > > >> >> > The reason I ask is that on our sftp boxes we chroot users based > >> >> > on group membership. I set that up as an external group in > >> >> > freeIPA and the first time the user logs in to the sftp box, > >> >> > they are dropped in their normal home directory as opposed to > >> >> > the chroot environment. If there is a chance the group > >> >> > membership will not show up correctly again in the future, I'm > >> >> > inclined to change the chroot stanzas to match on > >> >> user as opposed to group. > >> >> > > >> >> > Is that by design? > >> >> > >> >> If you can't see the correct group memberships after a login, then > >> >> something is fishy. However, we're rebasing to sssd 1.12.x in 6.7 > >> >> and there's so many fixes and enhancements in this area..is there > >> >> a chance you could try out 6.7 beta or some custom packages? > >> >> > >> > > >> >Group memberships show up fine after the first login so it is > >> >working as > >> expected then. The accounts are very controlled so it shouldn't be a > >> huge sticking point. I could try out some custom packages on this > >> box but I can't move to 6.7 until we upgrade the entire environment. > >> > > >> Here you are > >> https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12-latest/ > >> > > > >To just bring this full circle, the latest sssd release reads group > >membership > correctly without a Kerberos ticket. I tested this release on 6.6 and tested > a > 7.1 box and both worked without issue. > > > I'm glad it works for you. > > >I just can't roll them in production yet :/ > > > I see. >
You have any insight into when 6.7 will be released? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
