Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 982619
Description of problem: realm permit --groups not work, group is added to sssd.conf, realm list show the group in permitted-groups. ssh login with a member of this group doesn't work. Version-Release number of selected component (if applicable): realmd-0.14.2-3.el7 sssd-1.10.0-12.el7.beta2 How reproducible: always Steps to Reproduce: 1.realm permit --realm=security.baseos.qe --groups 'test permit group@security.baseos.qe' 2. 3. Actual results: ssh login with a member of this group doesn't work. Expected results: ssh login with a member of this group work. Additional info: realm list security.baseos.qe type: kerberos realm-name: SECURITY.BASEOS.QE domain-name: security.baseos.qe configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common login-formats: %U@security.baseos.qe login-policy: allow-permitted-logins permitted-logins: permitted-groups: test permit group@security.baseos.qe getent group 'test permit group@security.baseos.qe' test permit group@security.baseos.qe:*:89801530:amy@security.baseos.qe cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = LDAP, security.baseos.qe services = nss, pam, sudo [nss] filter_groups = root filter_users = root default_shell = /bin/bash [pam] [sudo] debug_level = 0xFFFF [domain/LDAP] id_provider = ldap auth_provider = ldap sudo_provider = ldap debug_level = 0xFFFF ldap_uri = ldap://example.com ldap_tls_cacert = /etc/openldap/certs/cacert.asc ldap_search_base = dc=example,dc=com entry_cache_nowait_percentage = 0 entry_cache_timeout = 0 ldap_sudo_smart_refresh_interval = 1 ldap_sudo_full_refresh_interval = 10 [domain/security.baseos.qe] ad_domain = security.baseos.qe krb5_realm = SECURITY.BASEOS.QE realmd_tags = manages-system cache_credentials = True id_provider = ad krb5_store_password_if_offline = True ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u access_provider = simple krb5_use_enterprise_principal=False simple_allow_groups = test permit group@security.baseos.qe ssh amy@security.baseos.qe@localhost amy@security.baseos.qe@localhost's password: Connection closed by ::1
Fields changed
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => owner: somebody => pbrezina review: True => 0 selected: => testsupdated: => 0
summary: realm permit --groups does not work => allow fqdn in simple access provider lists
status: new => assigned
This is quite important as a) realmd sets FQDNs by default. b) with the introduction of subdomains we can easily have overlapping user names in a single domain.
priority: major => critical
milestone: NEEDS_TRIAGE => SSSD 1.10.2
I created new ticket to support users and groups from trusted domain: https://fedorahosted.org/sssd/ticket/2034
patch: 0 => 1
resolution: => fixed status: assigned => closed
Metadata Update from @jhrozek: - Issue assigned to pbrezina - Issue set to the milestone: SSSD 1.10.2
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3068
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.