Thanks Alexander.  Is there a place where there are example pam stacks
that work with active directory and hbac?
Warren Birnbaum : Infrastructure Services
Web Automation Engineer
Europe CDT Techn. Operations
Nike Inc. : Mobile +31 6 23902697

On 1/22/16, 2:44 PM, "Alexander Bokovoy" <> wrote:

>On Fri, 22 Jan 2016, Birnbaum, Warren (ETW) wrote:
>>Thanks for you reply.  I understand what you are saying but don¹t see how
>>this would work because Allow_All is my current situation (even with this
>>rule disabled).  My understand is you can¹t restrict through a rule, only
>>limit.  I am missing something?
>First, lack of HBAC rule that allows to access a service means pam_sss
>will deny access to this service. HBAC rules only give you means to
>_allow_ access, not to limit it as when no rules are in place,
>everything is disallowed.  'allow_all' HBAC rule is provided exactly to
>allow starting with a fresh working ground -- you would then remove
>'allow_all' rule after creating specific allow rules.
>Second, while pam_sss evaluates HBAC rules, it is only one module in a
>PAM stack. There might be other PAM modules that could make own
>decisions to allow access to a specific service. You need to see what is
>in your configuration.
>On RHEL and Fedora we configure PAM stack in such way that apart from
>root and wheel group the rest is managed by SSSD via pam_sss. If your
>configuration is different, it is up to you to ensure everything is
>tightened up.
>>On 1/22/16, 1:51 PM, " on behalf of Jakub
>>Hrozek" < on behalf of
>>>On Fri, Jan 22, 2016 at 09:27:40AM +0000, Birnbaum, Warren (ETW) wrote:
>>>> Hi.
>>>> I have a been successful using Freeipa 4.1 configuring active
>>>>users and with sudo.  The problem I am having is that the HBAC rules
>>>>not applying to my active directory users.  They have access to all
>>>>systems even if I disable my Allow_ALL rule.  Is there something
>>>>I should be doing to domain?
>>>Normally HBAC for AD users should be done through an external group you
>>>add the AD users or groups to, then add the external group to a regular
>>>IPA group and reference this IPA group from HBAC rules.
>>>There have been bugs related to external groups resolution, so please
>>>update to the latest IPA and SSSD packages also.
>>>Manage your subscription for the Freeipa-users mailing list:
>>>Go to for more info on the project
>>Manage your subscription for the Freeipa-users mailing list:
>>Go to for more info on the project
>/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to