Bug 887675 - realmd does now support "permit" options for groups.
Summary: realmd does now support "permit" options for groups.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: realmd
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Stef Walter
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-17 00:14 UTC by William Brown
Modified: 2013-05-22 10:38 UTC (History)
4 users (show)

Fixed In Version: realmd-0.13.91-1.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-22 03:15:16 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
FreeDesktop.org 58397 0 None None None Never

Description William Brown 2012-12-17 00:14:22 UTC
Description of problem:
realmd with active directory, should support "permitting" logins based on group membership. For example

realm permit "Domain Admins"

Running this at the moment, realmd puts the option into SSSD

simple_allow_users = domain admins

Perhaps this is indicative of a limitation of SSSD, but it does impair realmd signifigantly.

Workaround:

For the momemt, winbind supports group based logins via the pam stack. IE require_membership_of=[SID or NAME] See also http://www.samba.org/samba/docs/man/manpages-3/pam_winbind.conf.5.html

Comment 1 Dmitri Pal 2012-12-17 03:29:00 UTC
I guess this is the limitation of the realmd. SSSD supports groups in the simple access provider as well as users. Please see all the man pages for sssd-simple. What happens above is that "Domain Admins" is treated as a user.

May be realmd should support another argument?

realm permit user "foo"
realm permit group "Domain Admins"

Comment 2 Stef Walter 2012-12-17 09:09:50 UTC
Yes it pr(In reply to comment #1)
> I guess this is the limitation of the realmd. SSSD supports groups in the
> simple access provider as well as users. Please see all the man pages for
> sssd-simple. What happens above is that "Domain Admins" is treated as a user.
> 
> May be realmd should support another argument?

Yes it probably should. Or we should resolve the user/group on the fly and add it to the appropriate sssd-simple list.

Comment 3 William Brown 2012-12-18 00:41:08 UTC
Don't resolve the group on the fly. What if I have a user and group with the same name, but mean different things?

The "realm permit [user|group]" syntax is probably the better option, as it is explicit to the user what their action will result in.

Comment 4 Stef Walter 2012-12-18 09:00:46 UTC
Good point. I'm also not super happy with 'permit' 'deny' as it's not clear that they refer to logins. Will try to come up with a syntax that fixes both problems...

Comment 5 Saso Tavcar 2013-02-19 21:35:03 UTC
(In reply to comment #4)
> Good point. I'm also not super happy with 'permit' 'deny' as it's not clear
> that they refer to logins. Will try to come up with a syntax that fixes both
> problems...

Is there anything new about group logins?
This is prefefred feature for low system administration footprint in large domain environments.

Comment 6 Fedora Update System 2013-05-02 14:13:14 UTC
realmd-0.13.91-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/realmd-0.13.91-1.fc19

Comment 7 Fedora Update System 2013-05-03 15:22:53 UTC
Package realmd-0.13.91-1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing realmd-0.13.91-1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-7345/realmd-0.13.91-1.fc19
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2013-05-22 03:15:16 UTC
realmd-0.13.91-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.