Description of problem:
realmd with active directory, should support "permitting" logins based on group membership. For example
realm permit "Domain Admins"
Running this at the moment, realmd puts the option into SSSD
simple_allow_users = domain admins
Perhaps this is indicative of a limitation of SSSD, but it does impair realmd signifigantly.
For the momemt, winbind supports group based logins via the pam stack. IE require_membership_of=[SID or NAME] See also http://www.samba.org/samba/docs/man/manpages-3/pam_winbind.conf.5.html
I guess this is the limitation of the realmd. SSSD supports groups in the simple access provider as well as users. Please see all the man pages for sssd-simple. What happens above is that "Domain Admins" is treated as a user.
May be realmd should support another argument?
realm permit user "foo"
realm permit group "Domain Admins"
Yes it pr(In reply to comment #1)
> I guess this is the limitation of the realmd. SSSD supports groups in the
> simple access provider as well as users. Please see all the man pages for
> sssd-simple. What happens above is that "Domain Admins" is treated as a user.
> May be realmd should support another argument?
Yes it probably should. Or we should resolve the user/group on the fly and add it to the appropriate sssd-simple list.
Don't resolve the group on the fly. What if I have a user and group with the same name, but mean different things?
The "realm permit [user|group]" syntax is probably the better option, as it is explicit to the user what their action will result in.
Good point. I'm also not super happy with 'permit' 'deny' as it's not clear that they refer to logins. Will try to come up with a syntax that fixes both problems...
(In reply to comment #4)
> Good point. I'm also not super happy with 'permit' 'deny' as it's not clear
> that they refer to logins. Will try to come up with a syntax that fixes both
Is there anything new about group logins?
This is prefefred feature for low system administration footprint in large domain environments.
realmd-0.13.91-1.fc19 has been submitted as an update for Fedora 19.
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing realmd-0.13.91-1.fc19'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
realmd-0.13.91-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.