On 10.3.2015 12:14, Guertin, David S. wrote: >>> Seems the initial/default setup for IPA server is to put in an 'allow_all' >> rule. Thus you can actively manage HBAC but out of the box, it is essentially >> turned off by that rule. >> >> Yes. The default was the opposite very long time ago, you had to explicitly >> enable access to the box. But it was causing too many user issues. > > OK, I have reinstalled the IPA server with the --no_hbac_allow flag (i.e. : > ipa-server-install --no_hbac_allow), but the behavior remains the same. I can > still see all AD users instead of just those in the particular group I've > added. > > Is there something else that needs be done to override the allow_all setting?
You should be able to 'see' them via getent passwd but they should not be allowed to login when HBAC_ALLOW_ALL is disabled. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project