I am currently trying to set up kerberos authentication for IcingaWeb2. By now, I got the authentication process up and running, and I can log in to Icingaweb2 with my AD credentials. Anyways, Icingaweb shows me an empty dashboard with no accessible date once I am logged in, since there are no user/group policies active for the new user on first login.
I found the workaround of explicitly creating a user with the AD user’s name and attributing him the right policies before logging in to be working, but this is not a very satisfying way of handling this.
So my question would be, is there a way to e.g. allow users logging in via kerberos certain default permissions?
you need to create Roles in the Icinga Web 2 configuration under “Authentication”.
Then you can simply add the AD user names or user group names to these roles.
The operating role as no administrative access (no Icinga Director), but mostly general access to the other modules, and can issue commands/downtimes/comments in the webinterface.
Instead of adding the AD users/groups to the roles directly you also can create Icinga Web 2 internal groups and add them there.
Thank you for your answer, but this is basically what I have been doing up to now. Maybe I need to explain what I think of as ideal solution a bit better:
Let’s say I login with my AD user being called mydomain\daniel. I log in to Icingaweb2 and the username gets stripped to daniel for convenience. mydomain\daniel is part of e.g. the AD security group Domain-Monitoring-Admins.
Is there a way in Icingaweb2 to map all members of this AD security group onto e.g. an Icinga-role Administrator automatically?
Yes, exactly as I describe above. Add Domain-Monitoring-Admins to the Administrator role.
If by “automatically” you mean without any further doings, then: no, not that I know of.
Thanks for being so patient 
