On Mon, 2012-06-04 at 08:39 +0200, Martin Kosek wrote:
> On Sat, 2012-06-02 at 06:52 -0700, Joe Linoff wrote:
> > Hi:
> > 
> >  
> > 
> > I am a newbie that is trying out FreeIPA for the first time. So far I
> > am extremely impressed with this system but I ran into a problem that
> > I need some help with. I am trying to figure out how to HBAC to
> > restrict a set of users to a specific set of hosts but I am not having
> > any success.
> > 
> >  
> > 
> > Here is the problem statement:
> > 
> >  
> > 
> > I have 2 users: “user1” and “user2” that should only be able to access
> > the host “foobar” on my network. There are many other possible hosts
> > (like “wombat”) that they cannot access. They can login from anywhere
> > using “ssh”. 
> > 
> >  
> > 
> > The goal is to restrict students to a specific set of machines.
> > 
> >  
> > 
> > What I tried to do was this:
> > 
> >  
> > 
> > 1.      Create a user group called “restricted-users” which I could
> > add users to.
> > 
> > 2.      Create a HBAC rule named “restricted-users” that
> > 
> > a.      Defines the host I want to allow them access to
> > (“restricted-host”).
> > 
> > b.      Defines the user group that is affected by this rule
> > (“restricted-users”).
> > 
> > c.      Defines the services they are allowed to use on that host
> > (including login).
> > 
> > 3.      Create a user named “user1” that is enrolled in the
> > “restricted-users” group.
> > 
> >  
> > 
> > I then tried this experiment:
> > 
> >  
> > 
> > 1.      ssh –Y user1@foobar
> > 
> > a.      It worked like a charm. The login worked correctly.
> > 
> > 2.      ssh –Y user1@wombad
> > 
> > a.      It also worked like a charm but in this case it was undesired
> > behavior.
> > 
> >  
> > 
> > I am sure that I am missing something really obvious. Any help would
> > be greatly appreciated.
> > 
> >  
> > 
> > Errata:
> > 
> > 1.      OS: CentOS 6.2
> > 
> > 2.      FreeIPA: v2.1.3 (9el6)
> > 
> >  
> > 
> > Thank you,
> > 
> >  
> > 
> > Joe
> > 
> 
> Hello Joe,
> 
> did you disable default allow_all HBAC rule?
> 
> # ipa hbacrule-show allow_all
>   Rule name: allow_all
>   User category: all
>   Host category: all
>   Source host category: all
>   Service category: all
>   Description: Allow all users to access any host from any host
>   Enabled: TRUE
> 
> With this rule disabled, the policy you described should be properly
> enforced. When testing HBAC rules you may want to try CLI and Web UI
> interface to hbactest command, which can help you to test who can use
> what service on which machine and also which rules did match when the
> access was allowed.


If you're still experiencing problems after disabling the default
allow_all rule, please submit the relevant section of /var/log/secure so
we can see if anything peculiar is occurring in the PAM authentication
and authorization.

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to