Bug 887675

Summary: realmd does now support "permit" options for groups.
Product: [Fedora] Fedora Reporter: William Brown <william>
Component: realmdAssignee: Stef Walter <stefw>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 18CC: dpal, jhrozek, stefw, yaneti
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: realmd-0.13.91-1.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-22 03:15:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description William Brown 2012-12-17 00:14:22 UTC 
Description of problem:
realmd with active directory, should support "permitting" logins based on group membership. For example

realm permit "Domain Admins"

Running this at the moment, realmd puts the option into SSSD

simple_allow_users = domain admins

Perhaps this is indicative of a limitation of SSSD, but it does impair realmd signifigantly.

Workaround:

For the momemt, winbind supports group based logins via the pam stack. IE require_membership_of=[SID or NAME] See also http://www.samba.org/samba/docs/man/manpages-3/pam_winbind.conf.5.html
Comment 1 Dmitri Pal 2012-12-17 03:29:00 UTC 
I guess this is the limitation of the realmd. SSSD supports groups in the simple access provider as well as users. Please see all the man pages for sssd-simple. What happens above is that "Domain Admins" is treated as a user.

May be realmd should support another argument?

realm permit user "foo"
realm permit group "Domain Admins"
Comment 2 Stef Walter 2012-12-17 09:09:50 UTC 
Yes it pr(In reply to comment #1)
> I guess this is the limitation of the realmd. SSSD supports groups in the
> simple access provider as well as users. Please see all the man pages for
> sssd-simple. What happens above is that "Domain Admins" is treated as a user.
> 
> May be realmd should support another argument?

Yes it probably should. Or we should resolve the user/group on the fly and add it to the appropriate sssd-simple list.
Comment 3 William Brown 2012-12-18 00:41:08 UTC 
Don't resolve the group on the fly. What if I have a user and group with the same name, but mean different things?

The "realm permit [user|group]" syntax is probably the better option, as it is explicit to the user what their action will result in.
Comment 4 Stef Walter 2012-12-18 09:00:46 UTC 
Good point. I'm also not super happy with 'permit' 'deny' as it's not clear that they refer to logins. Will try to come up with a syntax that fixes both problems...
Comment 5 Saso Tavcar 2013-02-19 21:35:03 UTC 
(In reply to comment #4)
> Good point. I'm also not super happy with 'permit' 'deny' as it's not clear
> that they refer to logins. Will try to come up with a syntax that fixes both
> problems...

Is there anything new about group logins?
This is prefefred feature for low system administration footprint in large domain environments.
Comment 6 Fedora Update System 2013-05-02 14:13:14 UTC 
realmd-0.13.91-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/realmd-0.13.91-1.fc19
Comment 7 Fedora Update System 2013-05-03 15:22:53 UTC 
Package realmd-0.13.91-1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing realmd-0.13.91-1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-7345/realmd-0.13.91-1.fc19
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2013-05-22 03:15:16 UTC 
realmd-0.13.91-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.