On Fri, May 18, 2012 at 02:27:15PM -0700, Gelen James wrote: > Hi all, > Just like to clarify my confusion: Are the HBAC (Host Based Access > Control) rules immediately in effect after IPA client software > configurations through sssd? Do we have any options inside sssd.conf to > enable/disable the HBAC rules per machine (inside IPA domain)? I have this > question because some important servers needs to be available all the > time, even badly written HBAC rules could block access to all other > servers. > Another very close question is: what are the scenarios to use '--permit' > option to 'ipa-client-install'? the manual says 'Configure SSSD to permit > all access. Otherwise the machine will be controlled by the Host-based > Access Controls (HBAC) on the IPA server.'. So is this the solution to the > above problem? > Thanks a lot. > --Gelen
Yes, passing --permit to ipa-client install is the solution to your problem. What it does under the hood is setting access_provider = permit in the sssd.conf, which means "always allow access". See man sssd.conf(5) for more information on the default access providers. _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users