Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
Jakub, I am very interested in your standalone HBAC PAM module if you think it would apply in this situation. I would be happy to test it out if helpful. Thanks again for you help, Warren Birnbaum ___ Warren Birnbaum : Infrastructure Services Digital Linux Infrastructure Services Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697 On 2/15/16, 5:16 PM, "Jakub Hrozek" <jhro...@redhat.com> wrote: >On Mon, Feb 15, 2016 at 03:58:15PM +0000, Birnbaum, Warren (ETW) wrote: >> Jakub, >> >> We want to use password stored in AD and get a yes/no from the AD side. > >OK, I see. Yes, with IPA provider you would authenticate the IPA user >against the IPA KDC. > >> My understanding (which is very limited) is that if we use the IPA >> authentication then it resides in the local kerberos database. Is that >> not correct? If I am completely off, how would I setup type of >> authentication from IPA up? > >Normally with trusts. > >> >> Thanks again, >> >> Warren >> ___ >> Warren Birnbaum : Infrastructure Services >> Digital Linux Infrastructure Services >> Europe CDT Techn. Operations >> Nike Inc. : Mobile +31 6 23902697 >> >> >> >> >> >> >> On 2/15/16, 4:08 PM, "Jakub Hrozek" <jhro...@redhat.com> wrote: >> >> >On Mon, Feb 15, 2016 at 11:24:08AM +, Birnbaum, Warren (ETW) wrote: >> >> Hi Jakub, >> >> >> >> Thanks but I have sudo working OK. >> > >> >I'm sorry, my fault.. >> > >> >> What I am trying make work is HBAC. >> >> That I can¹t get to work with the proxy hack. Is there a way to do >> >>that? >> > >> >I haven't tested that use-case, but from the code it looks like it >> >wouldn't work, because the HBAC code tries to match the originalDN of >> >the user as stored on the IPA server. >> > >> >I'm finishing a standalone HBAC PAM module that could help in setups >> >like this, but more importantly -- why do you have the user proxied >>from >> >files? Isn't it better to just rely on sssd's caching and fetch the >>user >> >from IPA? >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
Jakub, We want to use password stored in AD and get a yes/no from the AD side. My understanding (which is very limited) is that if we use the IPA authentication then it resides in the local kerberos database. Is that not correct? If I am completely off, how would I setup type of authentication from IPA up? Thanks again, Warren ___ Warren Birnbaum : Infrastructure Services Digital Linux Infrastructure Services Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697 On 2/15/16, 4:08 PM, "Jakub Hrozek" <jhro...@redhat.com> wrote: >On Mon, Feb 15, 2016 at 11:24:08AM +0000, Birnbaum, Warren (ETW) wrote: >> Hi Jakub, >> >> Thanks but I have sudo working OK. > >I'm sorry, my fault.. > >> What I am trying make work is HBAC. >> That I can¹t get to work with the proxy hack. Is there a way to do >>that? > >I haven't tested that use-case, but from the code it looks like it >wouldn't work, because the HBAC code tries to match the originalDN of >the user as stored on the IPA server. > >I'm finishing a standalone HBAC PAM module that could help in setups >like this, but more importantly -- why do you have the user proxied from >files? Isn't it better to just rely on sssd's caching and fetch the user >from IPA? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
Alexander, Thanks for letting me know this. Is it true then that my only option is to have the IPA AD trust to achieve AD authentication (proxy style), HBAC and sudo? Thanks ___ Warren Birnbaum : Infrastructure Services Digital Linux Infrastructure Services Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697 On 2/15/16, 12:52 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote: >On Mon, 15 Feb 2016, Birnbaum, Warren (ETW) wrote: >>Thanks Lukas. >> >>Unfortunately setting up a IPA Ad Trust is something not possible within >>our organization. Is it then fair to say that waiting for Ticket #4623 >>is >>our only option? https://fedorahosted.org/freeipa/ticket/4634 >This ticket is not going to be implemented in a near future. It has >huge development cost while very little benefits. I don't think it is >going to be something you can rely on. > >-- >/ Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
Thanks Lukas. Unfortunately setting up a IPA Ad Trust is something not possible within our organization. Is it then fair to say that waiting for Ticket #4623 is our only option? https://fedorahosted.org/freeipa/ticket/4634 Thanks, Warren ___ Warren Birnbaum : Infrastructure Services Digital Linux Infrastructure Services Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697 On 2/15/16, 12:36 PM, "Lukas Slebodnik" <lsleb...@redhat.com> wrote: >On (15/02/16 09:34), Birnbaum, Warren (ETW) wrote: >>Hello, >> >>I would like to get freeipa to work with a proxy solution ( I currently >>have this working with an active directory/no trust authentication and >>sudo but no HBAC) including HBAC. I can get sudo to work but not HBAC. >>I see there is a ticket for this as a new enhancement #4634 but wanted >>to confirm that there isn't another way to accomplish this. >> >>Here is my current configuration for proxy and this works OK: >> >>[domain/mikey.com] >>sudo_provider = ipa >>ipa_domain = va2.b2c.mikey.com >>id_provider = ipa >>auth_provider = ipa >>access_provider = ipa >>ipa_hostname = ip-10-12-177-28.va2.b2c.mikey.com >>chpass_provider = ipa >>ipa_server = _srv_, ip-10-12-177-24.va2.b2c.mikey.com >>ldap_tls_cacert = /etc/ipa/ca.crt >> >>id_provider = proxy >>proxy_lib_name = files >>auth_provider = ldap >>reconnection_retries = 3 >>ldap_uri = ldap://adldaplb.mikey.com >>ldap_search_base = dc=ad,dc=mikey,dc=com?subtree? >>ldap_schema = AD >>ldap_default_authtok_type = password >>ldap_network_timeout = 120 >>ldap_opt_timeout = 120 >>ldap_search_timeout = 120 >>ldap_id_use_start_tls = false >>ldap_user_object_class = user >>ldap_group_object_class = group >>ldap_user_name = sAMAccountName >>enumerate = true >>ldap_referrals = true >>ldap_tls_reqcert = allow >>ldap_tls_cacertdir = /etc/openldap/cacerts >>ldap_access_filter = * >>case_sensitive = false >>lookup_family_order = ipv4_only >>dns_resolver_timeout = 30 >>cache_credentials = false >> >This configuration file is a little bit suspicious to me. >There is mixed/overriden id_provider ipa and proxy + some parts from AD. > >HBAC can work only with IPA users or trusted AD users (IPA AD trust) >HBAC cannot work with id_provider ldap, proxy or AD. >You can achieve something similar with GPO and ad provider. > >LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
Hi Jakub, Thanks but I have sudo working OK. What I am trying make work is HBAC. That I can¹t get to work with the proxy hack. Is there a way to do that? Thanks, Warren ___ Warren Birnbaum : Infrastructure Services Digital Linux Infrastructure Services Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697 On 2/15/16, 11:31 AM, "freeipa-users-boun...@redhat.com on behalf of Jakub Hrozek" <freeipa-users-boun...@redhat.com on behalf of jhro...@redhat.com> wrote: >On Mon, Feb 15, 2016 at 09:34:33AM +0000, Birnbaum, Warren (ETW) wrote: >> Hello, >> >> I would like to get freeipa to work with a proxy solution ( I currently >>have this working with an active directory/no trust authentication and >>sudo but no HBAC) including HBAC. I can get sudo to work but not HBAC. >>I see there is a ticket for this as a new enhancement #4634 but wanted >>to confirm that there isn't another way to accomplish this. >> >> Here is my current configuration for proxy and this works OK: > >I've used the proxy hack to enable sudo for local (=/etc/passwd) users >with LDAP sudoers and it just worked. Can you try following: >https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO >and see which part does not work? > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Question about ldap proxy/AD + sudo + HBAC
Hello, I would like to get freeipa to work with a proxy solution ( I currently have this working with an active directory/no trust authentication and sudo but no HBAC) including HBAC. I can get sudo to work but not HBAC. I see there is a ticket for this as a new enhancement #4634 but wanted to confirm that there isn't another way to accomplish this. Here is my current configuration for proxy and this works OK: [domain/mikey.com] sudo_provider = ipa ipa_domain = va2.b2c.mikey.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ip-10-12-177-28.va2.b2c.mikey.com chpass_provider = ipa ipa_server = _srv_, ip-10-12-177-24.va2.b2c.mikey.com ldap_tls_cacert = /etc/ipa/ca.crt id_provider = proxy proxy_lib_name = files auth_provider = ldap reconnection_retries = 3 ldap_uri = ldap://adldaplb.mikey.com ldap_search_base = dc=ad,dc=mikey,dc=com?subtree? ldap_schema = AD ldap_default_authtok_type = password ldap_network_timeout = 120 ldap_opt_timeout = 120 ldap_search_timeout = 120 ldap_id_use_start_tls = false ldap_user_object_class = user ldap_group_object_class = group ldap_user_name = sAMAccountName enumerate = true ldap_referrals = true ldap_tls_reqcert = allow ldap_tls_cacertdir = /etc/openldap/cacerts ldap_access_filter = * case_sensitive = false lookup_family_order = ipv4_only dns_resolver_timeout = 30 cache_credentials = false Thanks for your help, Warren Birnbaum -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Active Directory users are not controlled by HBAC
I started this post with a simple question: ³is it possible to have HBAC work with AD authenticated users². I was not able from the tips provided to get any further with this. What I have not been able to have addressed is, if there are no HBAC rules, there should be no access, or if there is no Allow_Access rule, no one should be able to login to any system. Currently with this said configuration, everyone has access to every system. My pam stack is exactly as recommended. Is there someone who has FreeIPA with active directory authenticated users and HBAC working? I don¹t have trust defined with AD but authentication is working fine. >From the following link: https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-gro ups.html It says in the second paragraph: "However, Active Directory users cannot be added directly to FreeIPA user groups. This means that Active Directory users require special configuration in order to access FreeIPA domain resources." There is then a procedure given to create user groups that work with HBAC. I don¹t see how this work help me since adding a user to a group could only be used to further allow access to systems, but already have total access to all systems by all users. Thanks for your help! Warren On 1/25/16, 2:47 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote: >On Mon, 25 Jan 2016, Birnbaum, Warren (ETW) wrote: >>OK. I have done this and am using the pam stack that is the result of >>what you here describe. >> >>A few threads back you mentioned that this could be a reason why my hbac >>are not restricting access. I have no hbac rules currently and any >>active >>directory user can access any host. Is there something else I could look >>at to see why this is happening? >https://fedorahosted.org/sssd/wiki/Troubleshooting is your friend. > >-- >/ Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Problem adding user
Hello, I am trying to add a user into FreeIPA that already exists in /etc/passwd. How can I add him into FreeIPA and employ all the functionality? Thanks, Warren -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem adding user
The users I have are authenticated off Active Directory. I can remove the user from /etc/passwd but don¹t know how to have the user still be authenticated from Active Directory instead of I believe Kerberos. Does that make any sense? Thanks, ___ Warren Birnbaum : Infrastructure Services Web Automation Engineer Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697 On 1/26/16, 11:06 AM, "Rob Crittenden" <rcrit...@redhat.com> wrote: >Birnbaum, Warren (ETW) wrote: >> Hello, >> >> I am trying to add a user into FreeIPA that already exists in >> /etc/passwd. How can I add him into FreeIPA and employ all the >> functionality? > >What is your goal in keeping the user in both systems? > >rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Active Directory users are not controlled by HBAC
My system-auth-ac files looks like: authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid >= 1000 quiet_success authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_access.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_pwquality.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so ___ Warren Birnbaum : Infrastructure Services Web Automation Engineer Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697 On 1/25/16, 1:26 PM, "Birnbaum, Warren (ETW)" <warren.birnb...@nike.com> wrote: >Thanks Alexander. Is there a place where there are example pam stacks >that work with active directory and hbac? > >___ >Warren Birnbaum : Infrastructure Services >Web Automation Engineer >Europe CDT Techn. Operations >Nike Inc. : Mobile +31 6 23902697 > > > > > > >On 1/22/16, 2:44 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote: > >>On Fri, 22 Jan 2016, Birnbaum, Warren (ETW) wrote: >>>Thanks for you reply. I understand what you are saying but don¹t see >>>how >>>this would work because Allow_All is my current situation (even with >>>this >>>rule disabled). My understand is you can¹t restrict through a rule, >>>only >>>limit. I am missing something? >>Yes. >> >>First, lack of HBAC rule that allows to access a service means pam_sss >>will deny access to this service. HBAC rules only give you means to >>_allow_ access, not to limit it as when no rules are in place, >>everything is disallowed. 'allow_all' HBAC rule is provided exactly to >>allow starting with a fresh working ground -- you would then remove >>'allow_all' rule after creating specific allow rules. >> >>Second, while pam_sss evaluates HBAC rules, it is only one module in a >>PAM stack. There might be other PAM modules that could make own >>decisions to allow access to a specific service. You need to see what is >>in your configuration. >> >>On RHEL and Fedora we configure PAM stack in such way that apart from >>root and wheel group the rest is managed by SSSD via pam_sss. If your >>configuration is different, it is up to you to ensure everything is >>tightened up. >> >>> >>> >>> >>> >>>On 1/22/16, 1:51 PM, "freeipa-users-boun...@redhat.com on behalf of >>>Jakub >>>Hrozek" <freeipa-users-boun...@redhat.com on behalf of >>>jhro...@redhat.com> >>>wrote: >>> >>>>On Fri, Jan 22, 2016 at 09:27:40AM +, Birnbaum, Warren (ETW) wrote: >>>>> Hi. >>>>> >>>>> I have a been successful using Freeipa 4.1 configuring active >>>>>directory >>>>>users and with sudo. The problem I am having is that the HBAC rules >>>>>are >>>>>not applying to my active directory users. They have access to all >>>>>systems even if I disable my Allow_ALL rule. Is there something >>>>>special >>>>>I should be doing to domain? >>>> >>>>Normally HBAC for AD users should be done through an external group you >>>>add the AD users or groups to, then add the external group to a regular >>>>IPA group and reference this IPA group from HBAC rules. >>>> >>>>There have been bugs related to external groups resolution, so please >>>>update to the latest IPA and SSSD packages also. >>>> >>>>-- >>>>Manage your subscription for the Freeipa-users mailing list: >>>>https://www.redhat.com/mailman/listinfo/freeipa-users >>>>Go to http://freeipa.org for more info on the project >>> >>> >>>-- >>>Manage your subscription for the Freeipa-users mailing list: >>>https://www.redhat.com/mailman/listinfo/freeipa-users >>>Go to http://freeipa.org for more info on the project >> >>-- >>/ Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Active Directory users are not controlled by HBAC
OK. I have done this and am using the pam stack that is the result of what you here describe. A few threads back you mentioned that this could be a reason why my hbac are not restricting access. I have no hbac rules currently and any active directory user can access any host. Is there something else I could look at to see why this is happening? Thanks. ___ Warren Birnbaum : Infrastructure Services Web Automation Engineer Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697 On 1/25/16, 2:11 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote: >On Mon, 25 Jan 2016, Birnbaum, Warren (ETW) wrote: >>Thanks Alexander. Is there a place where there are example pam stacks >>that work with active directory and hbac? >Defaults in RHEL/Fedora should be enough: > - install RHEL/Fedora, > - apply ipa-client-install, > >then you get proper setup. That's what is tested and supported. > >ipa-client-install would run authconfig utility with correct parameters >to set PAM stack properly. > >-- >/ Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Active Directory users are not controlled by HBAC
Hi. I have a been successful using Freeipa 4.1 configuring active directory users and with sudo. The problem I am having is that the HBAC rules are not applying to my active directory users. They have access to all systems even if I disable my Allow_ALL rule. Is there something special I should be doing to domain? Thanks, Warren -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Active Directory users are not controlled by HBAC
Thanks for you reply. I understand what you are saying but don¹t see how this would work because Allow_All is my current situation (even with this rule disabled). My understand is you can¹t restrict through a rule, only limit. I am missing something? On 1/22/16, 1:51 PM, "freeipa-users-boun...@redhat.com on behalf of Jakub Hrozek" <freeipa-users-boun...@redhat.com on behalf of jhro...@redhat.com> wrote: >On Fri, Jan 22, 2016 at 09:27:40AM +0000, Birnbaum, Warren (ETW) wrote: >> Hi. >> >> I have a been successful using Freeipa 4.1 configuring active directory >>users and with sudo. The problem I am having is that the HBAC rules are >>not applying to my active directory users. They have access to all >>systems even if I disable my Allow_ALL rule. Is there something special >>I should be doing to domain? > >Normally HBAC for AD users should be done through an external group you >add the AD users or groups to, then add the external group to a regular >IPA group and reference this IPA group from HBAC rules. > >There have been bugs related to external groups resolution, so please >update to the latest IPA and SSSD packages also. > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project