On Mon, May 11, 2015 at 01:57:38PM +0200, Jakub Hrozek wrote: > On Mon, May 11, 2015 at 01:19:01PM +0200, Vangass wrote: > > Hello, > > > > I have a problem with HBAC rules with conjunction with PAM authentication. > > What I try to do is to authenticate users: tac_plus - PAM (pam_sssd) - > > FreeIPA. > > It works just fine but without checking HBAC rules. > > What I did: > > - disabled allow_all rule > > - created new rule with one user and one service (tac_plus) > > And then, if I try to authenticate another user which is not in above rule > > then authetication is accepted and this user gets logged in. > > In logs, what I didn't find is an information about checking HBAC rules... > > Of course, when I use HBAC Test then everything is correct - one user is > > granted and another is declined. > > > > # cat /etc/pam.d/tac_plus > > auth required pam_sss.so > > account required pam_sss.so > > If hbactest passes, then we need to see the logs, /var/log/secure and > SSSD logs. Also the sssd.conf, please.
Also, how did you configure that tac_plus PAM service should be used? How do you try to access the machine / service? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project