Steven Jones wrote:

So whats the default rule?  can i set precedence? is there any?

The default rule is deny.


So Ive disabled the allow_all rule, I made a deny_all rule and then a rule to 
allow specific user groups to login to specific hostgroups servers....that 
didnt work...

So I disabled the deny_all rule and users in the specific group can login to 
the specific server, and if I remove them from the user group they cannot 
login, so OK good BUT the trouble is a second user that is in no groups at all 
can also login to the servers, which shouldn't occur...or at least I odnt want 
that to something is set incorrectly.

Is there a way to "suck out" the HBAC rules or whatever info for  the user at 
the command line?  I certainly cant find why that second user can login, it should not be 
able to, but it can.


It is currently very easy to create bad HBAC rules. The only real way to test them is to crank up the debug level in sssd and watch the logs.

We and the sssd team are in the process of writing a utility where you can simulate a rule execution and get feedback on how the rule will work (or if pieces are missing).


Freeipa-users mailing list

Reply via email to