On Sun, May 02, 2010 at 08:41:14PM +0200, Oliver Burtchen wrote:
> Am Sonntag, 2. Mai 2010 04:43:22 schrieb Rob Crittenden:
> > Oliver Burtchen wrote:
> > > Hi Stephen,
> > >
> > > I nailed the problem now a little bit down. I think it's HBAC with it's
> > > empty rules in the standard configuration. For me it was hard to
> > > recognize that it prevents every user added with "ipa user-add" from
> > > logging in the server or joined machines (via ssh or console). When I do
> > > a "ipa-client-install --on- master --permit" everthing works fine.
> > > Without the "--permit" I always get a access denied via
> > > pam-configuration.
> > >
> > > Are there any documentations ready for reading/review for HBAC with
> > > freeipa? At least it would be nice to have some short docu what is
> > > necessary. Could you lead me a little bit?
> > 
> > You need at least sssd 1.1.1 for hbac to work. I just added a tiny bit
> > of documentation on this yesterday at
> > http://freeipa.org/page/CLI_Overview#hbac
> > 
> > It might point you in the right direction anyway. I hope to have more
> > thorough documentation on it available soon.
> 
> Thanks for the hint. Just for the record, here are some more Informations:
> http://freeipa.org/page/Concepts_and_Objects#Host_Based_Access_Control

Even more information can be found here:
http://freeipa.org/page/DS_Design_Summary#HBAC_object
This page is basically what I used to implement the IPA HBAC rules in
sssd.

> 
> > 
> > The default configuration in hbac uses the model "denied unless
> > explicitly allowed" which is why all your logins failed. We don't
> > currently have any default rules set up, I wonder if we should have some
> > basic ones for demonstration purposes and to sort of bootstrap things.
> 
> Well, I played around a little bit and managed to setup rules to allow ssh-
> login. Now I have some more questions:
> 
> a) Is it right that I cannot use wildcards or placeholders in the service-
> name? I tried "all" and "*", but only explicite naming like "ssh" or "sshd" 
> works.

If the service is empty every service is allowed.


> 
> b) Is it right, that I have to set host and source-host? For me, it doesn't 
> work if I do not. My first thought was, if it's not set, it should always 
> match. 

Please set the source host category to 'all':
 ipa hbac-mod --srchostcat=all YOUR_RULE_NAME

> 
> c) Like a), how to set up a rule for all hosts or source-hosts? Do I have to 
> put them all in a hostgroup? If so, than it would be very handy, if ipa could 
> manage such group automagically for reference.

There is also a host category and a user category to set:
 ipa hbac-mod --hostcat=all YOUR_RULE_NAME
 ipa hbac-mod --usercat=all YOUR_RULE_NAME

> 
> d) How to setup a rule which restrics services like nfs to the lan (and known 
> hosts), but permits ssh from every machine over the internet (unknown hosts)?

You will need two rules one for the service sshd and one for nfs.

> 
> e) Like Simo suggested, finally how to setup an explicit permit all rule for 
> testing?

ipa hbac-add --type=allow allow_all
ipa hbac-mod --srchostcat=all allow_all
ipa hbac-mod --hostcat=all allow_all
ipa hbac-mod --usercat=all allow_all

HTH.

bye,
Sumit

> 
> Best regards,
> Oli
> 
> 
> > 
> > rob
> > 
> > > And thanks for your explanation about the sssd and sssd12 branch/repo at
> > > jdennis. It makes the difference very clear to me and I now use the
> > > sssd12 for testing (just to calm down a little bit   ;-) . Maybe a little
> > > readme.txt with your explanation would be quite nice on the server, so
> > > other people don't have to ask again.
> > >
> > > Best regards,
> > > Oli
> > >
> > > Am Mittwoch, 21. April 2010 22:41:53 schrieb Stephen Gallagher:
> > >> On 04/21/2010 02:53 PM, Oliver Burtchen wrote:
> > >>> Hi Stephen,
> > >>>
> > >>> thanks for the answer. Yes, I used the ipa-client-install tool. But I
> > >>> had
> > >
> > > first
> > >
> > >>> patched in this fix
> > >>>
> > >>> https://www.redhat.com/archives/freeipa-devel/2010-April/msg00004.html
> > >>>
> > >>> from Rob to get 'join' working again. Well, living at the bleeding
> > >>> edge.
> > >
> > > ;-)
> > >
> > >>> I'll see if I can nail the problem down.
> > >>
> > >> You may find the debug logs in /var/log/sssd/. At their default settings
> > >> (level 0) these logs will display only critical errors. But if you need
> > >> more information, you can turn up the debug_level in the
> > >> /etc/sssd/sssd.conf file and restart the SSSD. Then your debug logs will
> > >> fill up fairly quickly.
> > >>
> > >> Btw., what's the difference between
> > >>
> > >>> the sssd and sssd12 repos at jdennis? What is the most recent one,
> > >>> whats
> > >
> > > best
> > >
> > >>> to use with the ipa-devel repo?
> > >>
> > >> We split the development of 1.2 off into it's own branch. Builds from
> > >> that branch are put into the sssd12 repo. We're aiming to release 1.2.0
> > >> at the beginning of May. So that's the branch targeted towards our next
> > >> public release. We did this so we could put the finishing touches on
> > >> SSSD 1.2 while those of us who have completed their 1.2 tasks can move
> > >> ahead.
> > >>
> > >> The sssd repo contains our more experimental changes (for example, the
> > >> internal cache interface was completely rewritten). These are the
> > >> changes that will be forthcoming in sssd 1.3 sometime this summer.
> > >>
> > >> So your choices are:
> > >> sssd12: Stabilizing towards release
> > >> sssd: Hang on for dear life(*)
> > >>
> > >>
> > >>
> > >> (*) I usually run on this branch - eating my own dogfood, as it were -
> > >> though we make no guarantees that it won't break.
> > >>
> > >> _______________________________________________
> > >> Freeipa-users mailing list
> > >> Freeipa-users@redhat.com
> > >> https://www.redhat.com/mailman/listinfo/freeipa-users
> > 
> 
> -- 
> Oliver Burtchen, Berlin
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to