Am Fri, Mar 17, 2023 at 02:21:33PM -0000 schrieb None via FreeIPA-users: > I have a fresh IPA server setup with a trust to an Active Directory. Alls IPA > services are working fine, IPA users can connect to IPA client hosts without > problems. > > I now have added an AD user via creating an ID override in the default trust > view and added an ssh key for the user. I made the user a member of an IPA > group which has access to the IPA client host (verified via IPA user which is > a member of this group). I did this by --idoverrideusers= as --external= > seems to be gone.
Hi, you cannot add the AD user directly to an IPA POSIX group, you should create an external group (ipa group-add --external ....), add this group as a member of the HABC POSIX group and add the AD users as an external member. HTH bye, Sumit > > The AD user can't connect, not even that the ssh key is not working also the > password does not work. > > Running the HBAC test in the web UI gives an ACCESS DENIED for the AD user > and an ACCESS GRANTED for the IPA user. > > I also can see that a sssctl user-checks gives me a pam_acct_mgmt: Permission > denied while for the IPA user it brings up pam_acct_mgmt: Success > > The command id adu...@example.com lists the AD groups but I can't see the IPA > group there. > > Any hints will be greatly appreciated, thank you. > > > Best regards, > > Thomas > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
