On Fri, 22 Jan 2016, Birnbaum, Warren (ETW) wrote:
Thanks for you reply. I understand what you are saying but don¹t see how
this would work because Allow_All is my current situation (even with this
rule disabled). My understand is you can¹t restrict through a rule, only
limit. I am missing something?
Yes.
First, lack of HBAC rule that allows to access a service means pam_sss
will deny access to this service. HBAC rules only give you means to
_allow_ access, not to limit it as when no rules are in place,
everything is disallowed. 'allow_all' HBAC rule is provided exactly to
allow starting with a fresh working ground -- you would then remove
'allow_all' rule after creating specific allow rules.
Second, while pam_sss evaluates HBAC rules, it is only one module in a
PAM stack. There might be other PAM modules that could make own
decisions to allow access to a specific service. You need to see what is
in your configuration.
On RHEL and Fedora we configure PAM stack in such way that apart from
root and wheel group the rest is managed by SSSD via pam_sss. If your
configuration is different, it is up to you to ensure everything is
tightened up.
On 1/22/16, 1:51 PM, "freeipa-users-boun...@redhat.com on behalf of Jakub
Hrozek" <freeipa-users-boun...@redhat.com on behalf of jhro...@redhat.com>
wrote:
On Fri, Jan 22, 2016 at 09:27:40AM +0000, Birnbaum, Warren (ETW) wrote:
Hi.
I have a been successful using Freeipa 4.1 configuring active directory
users and with sudo. The problem I am having is that the HBAC rules are
not applying to my active directory users. They have access to all
systems even if I disable my Allow_ALL rule. Is there something special
I should be doing to domain?
Normally HBAC for AD users should be done through an external group you
add the AD users or groups to, then add the external group to a regular
IPA group and reference this IPA group from HBAC rules.
There have been bugs related to external groups resolution, so please
update to the latest IPA and SSSD packages also.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
