On Sun, May 02, 2010 at 08:41:14PM +0200, Oliver Burtchen wrote: > Am Sonntag, 2. Mai 2010 04:43:22 schrieb Rob Crittenden: > > Oliver Burtchen wrote: > > > Hi Stephen, > > > > > > I nailed the problem now a little bit down. I think it's HBAC with it's > > > empty rules in the standard configuration. For me it was hard to > > > recognize that it prevents every user added with "ipa user-add" from > > > logging in the server or joined machines (via ssh or console). When I do > > > a "ipa-client-install --on- master --permit" everthing works fine. > > > Without the "--permit" I always get a access denied via > > > pam-configuration. > > > > > > Are there any documentations ready for reading/review for HBAC with > > > freeipa? At least it would be nice to have some short docu what is > > > necessary. Could you lead me a little bit? > > > > You need at least sssd 1.1.1 for hbac to work. I just added a tiny bit > > of documentation on this yesterday at > > http://freeipa.org/page/CLI_Overview#hbac > > > > It might point you in the right direction anyway. I hope to have more > > thorough documentation on it available soon. > > Thanks for the hint. Just for the record, here are some more Informations: > http://freeipa.org/page/Concepts_and_Objects#Host_Based_Access_Control
Even more information can be found here: http://freeipa.org/page/DS_Design_Summary#HBAC_object This page is basically what I used to implement the IPA HBAC rules in sssd. > > > > > The default configuration in hbac uses the model "denied unless > > explicitly allowed" which is why all your logins failed. We don't > > currently have any default rules set up, I wonder if we should have some > > basic ones for demonstration purposes and to sort of bootstrap things. > > Well, I played around a little bit and managed to setup rules to allow ssh- > login. Now I have some more questions: > > a) Is it right that I cannot use wildcards or placeholders in the service- > name? I tried "all" and "*", but only explicite naming like "ssh" or "sshd" > works. If the service is empty every service is allowed. > > b) Is it right, that I have to set host and source-host? For me, it doesn't > work if I do not. My first thought was, if it's not set, it should always > match. Please set the source host category to 'all': ipa hbac-mod --srchostcat=all YOUR_RULE_NAME > > c) Like a), how to set up a rule for all hosts or source-hosts? Do I have to > put them all in a hostgroup? If so, than it would be very handy, if ipa could > manage such group automagically for reference. There is also a host category and a user category to set: ipa hbac-mod --hostcat=all YOUR_RULE_NAME ipa hbac-mod --usercat=all YOUR_RULE_NAME > > d) How to setup a rule which restrics services like nfs to the lan (and known > hosts), but permits ssh from every machine over the internet (unknown hosts)? You will need two rules one for the service sshd and one for nfs. > > e) Like Simo suggested, finally how to setup an explicit permit all rule for > testing? ipa hbac-add --type=allow allow_all ipa hbac-mod --srchostcat=all allow_all ipa hbac-mod --hostcat=all allow_all ipa hbac-mod --usercat=all allow_all HTH. bye, Sumit > > Best regards, > Oli > > > > > > rob > > > > > And thanks for your explanation about the sssd and sssd12 branch/repo at > > > jdennis. It makes the difference very clear to me and I now use the > > > sssd12 for testing (just to calm down a little bit ;-) . Maybe a little > > > readme.txt with your explanation would be quite nice on the server, so > > > other people don't have to ask again. > > > > > > Best regards, > > > Oli > > > > > > Am Mittwoch, 21. April 2010 22:41:53 schrieb Stephen Gallagher: > > >> On 04/21/2010 02:53 PM, Oliver Burtchen wrote: > > >>> Hi Stephen, > > >>> > > >>> thanks for the answer. Yes, I used the ipa-client-install tool. But I > > >>> had > > > > > > first > > > > > >>> patched in this fix > > >>> > > >>> https://www.redhat.com/archives/freeipa-devel/2010-April/msg00004.html > > >>> > > >>> from Rob to get 'join' working again. Well, living at the bleeding > > >>> edge. > > > > > > ;-) > > > > > >>> I'll see if I can nail the problem down. > > >> > > >> You may find the debug logs in /var/log/sssd/. At their default settings > > >> (level 0) these logs will display only critical errors. But if you need > > >> more information, you can turn up the debug_level in the > > >> /etc/sssd/sssd.conf file and restart the SSSD. Then your debug logs will > > >> fill up fairly quickly. > > >> > > >> Btw., what's the difference between > > >> > > >>> the sssd and sssd12 repos at jdennis? What is the most recent one, > > >>> whats > > > > > > best > > > > > >>> to use with the ipa-devel repo? > > >> > > >> We split the development of 1.2 off into it's own branch. Builds from > > >> that branch are put into the sssd12 repo. We're aiming to release 1.2.0 > > >> at the beginning of May. So that's the branch targeted towards our next > > >> public release. We did this so we could put the finishing touches on > > >> SSSD 1.2 while those of us who have completed their 1.2 tasks can move > > >> ahead. > > >> > > >> The sssd repo contains our more experimental changes (for example, the > > >> internal cache interface was completely rewritten). These are the > > >> changes that will be forthcoming in sssd 1.3 sometime this summer. > > >> > > >> So your choices are: > > >> sssd12: Stabilizing towards release > > >> sssd: Hang on for dear life(*) > > >> > > >> > > >> > > >> (*) I usually run on this branch - eating my own dogfood, as it were - > > >> though we make no guarantees that it won't break. > > >> > > >> _______________________________________________ > > >> Freeipa-users mailing list > > >> [email protected] > > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Oliver Burtchen, Berlin > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
