Thanks for you reply. I understand what you are saying but don¹t see how this would work because Allow_All is my current situation (even with this rule disabled). My understand is you can¹t restrict through a rule, only limit. I am missing something?
On 1/22/16, 1:51 PM, "freeipa-users-boun...@redhat.com on behalf of Jakub Hrozek" <freeipa-users-boun...@redhat.com on behalf of jhro...@redhat.com> wrote: >On Fri, Jan 22, 2016 at 09:27:40AM +0000, Birnbaum, Warren (ETW) wrote: >> Hi. >> >> I have a been successful using Freeipa 4.1 configuring active directory >>users and with sudo. The problem I am having is that the HBAC rules are >>not applying to my active directory users. They have access to all >>systems even if I disable my Allow_ALL rule. Is there something special >>I should be doing to domain? > >Normally HBAC for AD users should be done through an external group you >add the AD users or groups to, then add the external group to a regular >IPA group and reference this IPA group from HBAC rules. > >There have been bugs related to external groups resolution, so please >update to the latest IPA and SSSD packages also. > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project