My system-auth-ac files looks like:

auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 1000 quiet_success
auth        sufficient use_first_pass
auth        required

account     required
account     required
account     sufficient
account     sufficient uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required

password    requisite try_first_pass retry=3 type=
password    sufficient sha512 shadow nullok try_first_pass
password    sufficient use_authtok
password    required

session     optional revoke
session     required
-session     optional
session     optional umask=0077
session     [success=1 default=ignore] service in crond
quiet use_uid
session     required
session     optional

Warren Birnbaum : Infrastructure Services
Web Automation Engineer
Europe CDT Techn. Operations
Nike Inc. : Mobile +31 6 23902697

On 1/25/16, 1:26 PM, "Birnbaum, Warren (ETW)" <>

>Thanks Alexander.  Is there a place where there are example pam stacks
>that work with active directory and hbac?
>Warren Birnbaum : Infrastructure Services
>Web Automation Engineer
>Europe CDT Techn. Operations
>Nike Inc. : Mobile +31 6 23902697
>On 1/22/16, 2:44 PM, "Alexander Bokovoy" <> wrote:
>>On Fri, 22 Jan 2016, Birnbaum, Warren (ETW) wrote:
>>>Thanks for you reply.  I understand what you are saying but don¹t see
>>>this would work because Allow_All is my current situation (even with
>>>rule disabled).  My understand is you can¹t restrict through a rule,
>>>limit.  I am missing something?
>>First, lack of HBAC rule that allows to access a service means pam_sss
>>will deny access to this service. HBAC rules only give you means to
>>_allow_ access, not to limit it as when no rules are in place,
>>everything is disallowed.  'allow_all' HBAC rule is provided exactly to
>>allow starting with a fresh working ground -- you would then remove
>>'allow_all' rule after creating specific allow rules.
>>Second, while pam_sss evaluates HBAC rules, it is only one module in a
>>PAM stack. There might be other PAM modules that could make own
>>decisions to allow access to a specific service. You need to see what is
>>in your configuration.
>>On RHEL and Fedora we configure PAM stack in such way that apart from
>>root and wheel group the rest is managed by SSSD via pam_sss. If your
>>configuration is different, it is up to you to ensure everything is
>>tightened up.
>>>On 1/22/16, 1:51 PM, " on behalf of
>>>Hrozek" < on behalf of
>>>>On Fri, Jan 22, 2016 at 09:27:40AM +0000, Birnbaum, Warren (ETW) wrote:
>>>>> Hi.
>>>>> I have a been successful using Freeipa 4.1 configuring active
>>>>>users and with sudo.  The problem I am having is that the HBAC rules
>>>>>not applying to my active directory users.  They have access to all
>>>>>systems even if I disable my Allow_ALL rule.  Is there something
>>>>>I should be doing to domain?
>>>>Normally HBAC for AD users should be done through an external group you
>>>>add the AD users or groups to, then add the external group to a regular
>>>>IPA group and reference this IPA group from HBAC rules.
>>>>There have been bugs related to external groups resolution, so please
>>>>update to the latest IPA and SSSD packages also.
>>>>Manage your subscription for the Freeipa-users mailing list:
>>>>Go to for more info on the project
>>>Manage your subscription for the Freeipa-users mailing list:
>>>Go to for more info on the project
>>/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to