Am Thu, May 11, 2023 at 11:48:45AM -0000 schrieb J N via FreeIPA-users: > > Am Thu, May 04, 2023 at 06:49:06AM -0000 schrieb Finn Fysj via > > FreeIPA-users: > > > > Hi, > > > > the above is part of the access control when a user is trying to log in. > > As the messages says there are no HBAC rules defined and hence access is > > denied. By default there are: > > > > # ipa hbacrule-find > > -------------------- > > 2 HBAC rules matched > > -------------------- > > Rule name: allow_all > > User category: all > > Host category: all > > Service category: all > > Description: Allow all users to access any host from any host > > Enabled: True > > > > Rule name: allow_systemd-user > > User category: all > > Host category: all > > Description: Allow pam_systemd to run [email protected] to create a system > > user session > > Enabled: True > > ---------------------------- > > Number of entries returned 2 > > ---------------------------- > > > > > > defined. So it is expected that there are always some rules defined. > > Please check your HBAC rules. > > > > HTH > > > > bye, > > Sumit > OK, what does this mean Sumit? > > Does it mean I should create an own HBAC rule for systemd-user? And should > SSSD or ipactl restart be used when configuring SUDO/HBAC rules?
Hi, first it would be good to check which rules are already defined. If there are none you have to add some based on what requirements for access control the customer has. If there are already some rules it might be worth to figure out first why no rule applies to the given host and then check if it would make sense to change one of the existing rules to cover the host or is a new rule is needed. You do not have to restart anything after changing HBAC rules because they will be re-read whenever there is a new login. But, depending on the configuration, some details about the user, like e.g. group-memberships, might be cached by SSSD. In this case it might be possible that the changed rules do not apply immediately if the change involved groups. In this case calling 'sss_cache -E' on the client should help. bye, Sumit > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
