I have a new rancher install and just went through a process to assign global admin roles to a specific AD group that just has to be wrong. The process worked and it’ll only be used once, so…maybe it’s right?
Here’s what I did:
- I configured AD authentication and restricted site access to a specific AD group via a local admin account.
No group users had logged in yet so there were no users in security=>users. the local admin account can’t grant global roles to a group account because it can’t see them as is stated in the rancher docs.
- so, I logged out, logged back in as a group account which only had standard user privs.
- I logged out and back in as local admin to apply admin privs to the group account.
- Logged out and back in again as the group account which let me apply global role to the entire group.
That is four separate logins to do what sounds like it should be pretty straight forward. Like I said, it only has to happen once - and it works, so maybe that’s right.
Did I miss something in the docs to grant that first global role?