On Wed, Jan 27, 2016 at 06:53:43PM +0000, Birnbaum, Warren (ETW) wrote:
> I started this post with a simple question:  ³is it possible to have HBAC
> work with AD authenticated users².  I was not able from the tips provided
> to get any further with this.
> 
> What I have not been able to have addressed is, if there are no HBAC
> rules, there should be no access, or if there is no Allow_Access rule, no
> one should be able to login to any system.  Currently with this said
> configuration, everyone has access to every system.  My pam stack is
> exactly as recommended.  Is there someone who has FreeIPA with active
> directory authenticated users and HBAC working?  I don¹t have trust
> defined with AD but authentication is working fine.

The HBAC checks are done by SSSD. If there are issues SSSD logs would
help to identify the reason. Please see
https://fedorahosted.org/sssd/wiki/Troubleshooting for details. With
respect to HBAC the sssd_pam.log and sssd_your.domain.log are the most
important. Setting debug_level=10 in the [pam] and [domain/...] section
of sssd.conf should produce the most details.

Feel free to send the logs to me directly if you think they may disclose
too many details of your environment on a public mailing-list.

HTH

bye,
Sumit

> 
> >From the following link:
> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-gro
> ups.html
> It says in the second paragraph:
> 
> "However, Active Directory users cannot be added directly to FreeIPA user
> groups. This means that Active Directory users require special
> configuration in order to access FreeIPA domain resources."
> 
> There is then a procedure given to create user groups that work with HBAC.
>  I don¹t see how this work help me since adding a user to a group could
> only be used to further allow access to systems, but already have total
> access to all systems by all users.
> 
> Thanks for your help!
> 
> Warren
> 
> 
> 
> 
> 
> 
> On 1/25/16, 2:47 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote:
> 
> >On Mon, 25 Jan 2016, Birnbaum, Warren (ETW) wrote:
> >>OK.  I have done this and am using the pam stack that is the result of
> >>what you here describe.
> >>
> >>A few threads back you mentioned that this could be a reason why my hbac
> >>are not restricting access.  I have no hbac rules currently and any
> >>active
> >>directory user can access any host.  Is there something else I could look
> >>at to see why this is happening?
> >https://fedorahosted.org/sssd/wiki/Troubleshooting is your friend.
> >
> >-- 
> >/ Alexander Bokovoy
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to