Oliver Burtchen wrote:
Hi Stephen,

I nailed the problem now a little bit down. I think it's HBAC with it's empty rules in the standard configuration. For me it was hard to recognize that it prevents every user added with "ipa user-add" from logging in the server or joined machines (via ssh or console). When I do a "ipa-client-install --on- master --permit" everthing works fine. Without the "--permit" I always get a access denied via pam-configuration.

Are there any documentations ready for reading/review for HBAC with freeipa? At least it would be nice to have some short docu what is necessary. Could you lead me a little bit?

You need at least sssd 1.1.1 for hbac to work. I just added a tiny bit of documentation on this yesterday at http://freeipa.org/page/CLI_Overview#hbac

It might point you in the right direction anyway. I hope to have more thorough documentation on it available soon.

The default configuration in hbac uses the model "denied unless explicitly allowed" which is why all your logins failed. We don't currently have any default rules set up, I wonder if we should have some basic ones for demonstration purposes and to sort of bootstrap things.


And thanks for your explanation about the sssd and sssd12 branch/repo at jdennis. It makes the difference very clear to me and I now use the sssd12 for testing (just to calm down a little bit ;-) . Maybe a little readme.txt with your explanation would be quite nice on the server, so other people don't have to ask again.

Best regards,

Am Mittwoch, 21. April 2010 22:41:53 schrieb Stephen Gallagher:
On 04/21/2010 02:53 PM, Oliver Burtchen wrote:
Hi Stephen,

thanks for the answer. Yes, I used the ipa-client-install tool. But I had
patched in this fix


from Rob to get 'join' working again. Well, living at the bleeding edge.
I'll see if I can nail the problem down.
You may find the debug logs in /var/log/sssd/. At their default settings (level 0) these logs will display only critical errors. But if you need more information, you can turn up the debug_level in the /etc/sssd/sssd.conf file and restart the SSSD. Then your debug logs will fill up fairly quickly.

Btw., what's the difference between
the sssd and sssd12 repos at jdennis? What is the most recent one, whats
to use with the ipa-devel repo?

We split the development of 1.2 off into it's own branch. Builds from that branch are put into the sssd12 repo. We're aiming to release 1.2.0 at the beginning of May. So that's the branch targeted towards our next public release. We did this so we could put the finishing touches on SSSD 1.2 while those of us who have completed their 1.2 tasks can move ahead.

The sssd repo contains our more experimental changes (for example, the internal cache interface was completely rewritten). These are the changes that will be forthcoming in sssd 1.3 sometime this summer.

So your choices are:
sssd12: Stabilizing towards release
sssd: Hang on for dear life(*)

(*) I usually run on this branch - eating my own dogfood, as it were - though we make no guarantees that it won't break.

Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to