Oliver Burtchen wrote:
I nailed the problem now a little bit down. I think it's HBAC with it's empty
rules in the standard configuration. For me it was hard to recognize that it
prevents every user added with "ipa user-add" from logging in the server or
joined machines (via ssh or console). When I do a "ipa-client-install --on-
master --permit" everthing works fine. Without the "--permit" I always get a
access denied via pam-configuration.
Are there any documentations ready for reading/review for HBAC with freeipa?
At least it would be nice to have some short docu what is necessary. Could you
lead me a little bit?
You need at least sssd 1.1.1 for hbac to work. I just added a tiny bit
of documentation on this yesterday at
It might point you in the right direction anyway. I hope to have more
thorough documentation on it available soon.
The default configuration in hbac uses the model "denied unless
explicitly allowed" which is why all your logins failed. We don't
currently have any default rules set up, I wonder if we should have some
basic ones for demonstration purposes and to sort of bootstrap things.
And thanks for your explanation about the sssd and sssd12 branch/repo at
jdennis. It makes the difference very clear to me and I now use the sssd12 for
testing (just to calm down a little bit ;-) . Maybe a little readme.txt with
your explanation would be quite nice on the server, so other people don't have
to ask again.
Am Mittwoch, 21. April 2010 22:41:53 schrieb Stephen Gallagher:
On 04/21/2010 02:53 PM, Oliver Burtchen wrote:
thanks for the answer. Yes, I used the ipa-client-install tool. But I had
patched in this fix
from Rob to get 'join' working again. Well, living at the bleeding edge.
You may find the debug logs in /var/log/sssd/. At their default settings
(level 0) these logs will display only critical errors. But if you need
more information, you can turn up the debug_level in the
/etc/sssd/sssd.conf file and restart the SSSD. Then your debug logs will
fill up fairly quickly.
I'll see if I can nail the problem down.
Btw., what's the difference between
the sssd and sssd12 repos at jdennis? What is the most recent one, whats
We split the development of 1.2 off into it's own branch. Builds from
that branch are put into the sssd12 repo. We're aiming to release 1.2.0
at the beginning of May. So that's the branch targeted towards our next
public release. We did this so we could put the finishing touches on
SSSD 1.2 while those of us who have completed their 1.2 tasks can move
to use with the ipa-devel repo?
The sssd repo contains our more experimental changes (for example, the
internal cache interface was completely rewritten). These are the
changes that will be forthcoming in sssd 1.3 sometime this summer.
So your choices are:
sssd12: Stabilizing towards release
sssd: Hang on for dear life(*)
(*) I usually run on this branch - eating my own dogfood, as it were -
though we make no guarantees that it won't break.
Freeipa-users mailing list
Freeipa-users mailing list