Am Sonntag, 2. Mai 2010 04:43:22 schrieb Rob Crittenden:
> Oliver Burtchen wrote:
> > Hi Stephen,
> >
> > I nailed the problem now a little bit down. I think it's HBAC with it's
> > empty rules in the standard configuration. For me it was hard to
> > recognize that it prevents every user added with "ipa user-add" from
> > logging in the server or joined machines (via ssh or console). When I do
> > a "ipa-client-install --on- master --permit" everthing works fine.
> > Without the "--permit" I always get a access denied via
> > pam-configuration.
> >
> > Are there any documentations ready for reading/review for HBAC with
> > freeipa? At least it would be nice to have some short docu what is
> > necessary. Could you lead me a little bit?
> 
> You need at least sssd 1.1.1 for hbac to work. I just added a tiny bit
> of documentation on this yesterday at
> http://freeipa.org/page/CLI_Overview#hbac
> 
> It might point you in the right direction anyway. I hope to have more
> thorough documentation on it available soon.

Thanks for the hint. Just for the record, here are some more Informations:
http://freeipa.org/page/Concepts_and_Objects#Host_Based_Access_Control

> 
> The default configuration in hbac uses the model "denied unless
> explicitly allowed" which is why all your logins failed. We don't
> currently have any default rules set up, I wonder if we should have some
> basic ones for demonstration purposes and to sort of bootstrap things.

Well, I played around a little bit and managed to setup rules to allow ssh-
login. Now I have some more questions:

a) Is it right that I cannot use wildcards or placeholders in the service-
name? I tried "all" and "*", but only explicite naming like "ssh" or "sshd" 
works.

b) Is it right, that I have to set host and source-host? For me, it doesn't 
work if I do not. My first thought was, if it's not set, it should always 
match. 

c) Like a), how to set up a rule for all hosts or source-hosts? Do I have to 
put them all in a hostgroup? If so, than it would be very handy, if ipa could 
manage such group automagically for reference.

d) How to setup a rule which restrics services like nfs to the lan (and known 
hosts), but permits ssh from every machine over the internet (unknown hosts)?

e) Like Simo suggested, finally how to setup an explicit permit all rule for 
testing?

Best regards,
Oli


> 
> rob
> 
> > And thanks for your explanation about the sssd and sssd12 branch/repo at
> > jdennis. It makes the difference very clear to me and I now use the
> > sssd12 for testing (just to calm down a little bit   ;-) . Maybe a little
> > readme.txt with your explanation would be quite nice on the server, so
> > other people don't have to ask again.
> >
> > Best regards,
> > Oli
> >
> > Am Mittwoch, 21. April 2010 22:41:53 schrieb Stephen Gallagher:
> >> On 04/21/2010 02:53 PM, Oliver Burtchen wrote:
> >>> Hi Stephen,
> >>>
> >>> thanks for the answer. Yes, I used the ipa-client-install tool. But I
> >>> had
> >
> > first
> >
> >>> patched in this fix
> >>>
> >>> https://www.redhat.com/archives/freeipa-devel/2010-April/msg00004.html
> >>>
> >>> from Rob to get 'join' working again. Well, living at the bleeding
> >>> edge.
> >
> > ;-)
> >
> >>> I'll see if I can nail the problem down.
> >>
> >> You may find the debug logs in /var/log/sssd/. At their default settings
> >> (level 0) these logs will display only critical errors. But if you need
> >> more information, you can turn up the debug_level in the
> >> /etc/sssd/sssd.conf file and restart the SSSD. Then your debug logs will
> >> fill up fairly quickly.
> >>
> >> Btw., what's the difference between
> >>
> >>> the sssd and sssd12 repos at jdennis? What is the most recent one,
> >>> whats
> >
> > best
> >
> >>> to use with the ipa-devel repo?
> >>
> >> We split the development of 1.2 off into it's own branch. Builds from
> >> that branch are put into the sssd12 repo. We're aiming to release 1.2.0
> >> at the beginning of May. So that's the branch targeted towards our next
> >> public release. We did this so we could put the finishing touches on
> >> SSSD 1.2 while those of us who have completed their 1.2 tasks can move
> >> ahead.
> >>
> >> The sssd repo contains our more experimental changes (for example, the
> >> internal cache interface was completely rewritten). These are the
> >> changes that will be forthcoming in sssd 1.3 sometime this summer.
> >>
> >> So your choices are:
> >> sssd12: Stabilizing towards release
> >> sssd: Hang on for dear life(*)
> >>
> >>
> >>
> >> (*) I usually run on this branch - eating my own dogfood, as it were -
> >> though we make no guarantees that it won't break.
> >>
> >> _______________________________________________
> >> Freeipa-users mailing list
> >> Freeipa-users@redhat.com
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> 

-- 
Oliver Burtchen, Berlin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to