Sorry for misunderstanding.

I understand HBAC rules will not work for Centos 5. I just wanted to make
sure disabling "allow all" rule and adding new HBAC rules won't interfere
with AD users logging on Centos 5.

On Mon, Apr 20, 2015 at 5:03 PM Alexander Bokovoy <>

> On Mon, 20 Apr 2015, Srdjan Dutina wrote:
> >Just found in
> > the next
> >sentence: "If you have HBAC's allow_all rule disabled, you will need to
> >allow system-auth service on the FreeIPA  master, so that authentication
> of
> >the AD users can be performed."
> >Is this true for FreeIPA 4.1.0 also and how could I do this?
> Either you are reading it wrong or I don't get where you want to apply
> HBAC rules because this is for IPA masters, not legacy clients per se.
> Yes, you nede to create HBAC service named 'system-auth' and grant
> access to it to AD users on IPA masters, but all it will allow you is to
> authenticate AD users via compat tree.
> If your RHEL5 SSSD clients attempt to run own HBAC rule checks, AD users
> cannot be checked by those rules.
> --
> / Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to