On Wed, Jan 27, 2016 at 06:53:43PM +0000, Birnbaum, Warren (ETW) wrote: > I started this post with a simple question: ³is it possible to have HBAC > work with AD authenticated users². I was not able from the tips provided > to get any further with this. > > What I have not been able to have addressed is, if there are no HBAC > rules, there should be no access, or if there is no Allow_Access rule, no > one should be able to login to any system. Currently with this said > configuration, everyone has access to every system. My pam stack is > exactly as recommended. Is there someone who has FreeIPA with active > directory authenticated users and HBAC working? I don¹t have trust > defined with AD but authentication is working fine.
The HBAC checks are done by SSSD. If there are issues SSSD logs would help to identify the reason. Please see https://fedorahosted.org/sssd/wiki/Troubleshooting for details. With respect to HBAC the sssd_pam.log and sssd_your.domain.log are the most important. Setting debug_level=10 in the [pam] and [domain/...] section of sssd.conf should produce the most details. Feel free to send the logs to me directly if you think they may disclose too many details of your environment on a public mailing-list. HTH bye, Sumit > > >From the following link: > https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-gro > ups.html > It says in the second paragraph: > > "However, Active Directory users cannot be added directly to FreeIPA user > groups. This means that Active Directory users require special > configuration in order to access FreeIPA domain resources." > > There is then a procedure given to create user groups that work with HBAC. > I don¹t see how this work help me since adding a user to a group could > only be used to further allow access to systems, but already have total > access to all systems by all users. > > Thanks for your help! > > Warren > > > > > > > On 1/25/16, 2:47 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote: > > >On Mon, 25 Jan 2016, Birnbaum, Warren (ETW) wrote: > >>OK. I have done this and am using the pam stack that is the result of > >>what you here describe. > >> > >>A few threads back you mentioned that this could be a reason why my hbac > >>are not restricting access. I have no hbac rules currently and any > >>active > >>directory user can access any host. Is there something else I could look > >>at to see why this is happening? > >https://fedorahosted.org/sssd/wiki/Troubleshooting is your friend. > > > >-- > >/ Alexander Bokovoy > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project