[Freeipa-users] External users report being member of a lot of groups

Thu, 11 Jun 2020 08:48:16 -0700 

Hi - I have an IPA setup (4.6.6) with a trust to AD servers. The users can 
login to the servers via ssh and everything is allowed via HBAC groups.
I have some users that are admins so I created an all-servers access group.

But when I issue the "id" or "groups" command, users are reported being member 
of groups they don't belong to, for example:

User id094844 (an external user in AD), is reported member of:
[root@el6983 ~]# id id094844 | tr ',' '\n' | grep acc
1856201464(acc-devredhat-hbac-usergr...@dev.ipa.bc)
1856233001(acc-el2720-hbac-usergr...@dev.ipa.bc)
1856230575(acc-el2740-hbac-usergr...@dev.ipa.bc)
1856231052(acc-el2741-hbac-usergr...@dev.ipa.bc)
[...]

But if I check the group membership of acc-el2740-hbac-usergroup (my POSIX 
group):
[root@el6983 ~]# ipa group-show acc-el2740-hbac-usergroup
  Group name: acc-el2740-hbac-usergroup
  GID: 1856230575
  Member users: id999026
  Member groups: acc-el2740-hbac-usergroup-ext, ai-it_rpa_accesses, cmos, 
is-storage_backup_bo, is-storage_backup_fo
  Member of HBAC rule: acc-el2740-hbac
  Indirect Member users: abiaload, abidload
  Indirect Member groups: ai-it_rpa_accesses-extgrp, 
is-storage_backup_fo-extgrp, is-storage_backup_bo-extgrp, cmos-
                          extgrp

# Checking my external group:
[root@el6983 ~]# ipa group-show acc-el2740-hbac-usergroup-ext
  Group name: acc-el2740-hbac-usergroup-ext
  Member of groups: acc-el2740-hbac-usergroup
  Indirect Member of HBAC rule: acc-el2740-hbac

And id094844 isn't member of any groups nested in acc-el2740-hbac-usergroup

As we have a lot of servers, I'm afraid that we'll get a lot of membership once 
our migration is over... Any way to fix this?

Thanks!

Sébastien Toulmonde
Linux Engineering | ITS Linux CC


[Proximus]<http://www.proximus.be/>

Connect with us on:

[Proximus Facebook]<https://www.facebook.com/proximusBe>   [Proximus Twitter] 
<https://twitter.com/proximus>    [Proximus YouTube] 
<https://www.youtube.com/proximus>    [Proximus LinkedIn] 
<https://www.linkedin.com/company/proximus>



Sensitivity: Internal Use Only

This e-mail cannot be used for other purposes than Proximus business use. See 
more on https://www.proximus.be/maildisclaimer

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to