Re: [Freeipa-users] HBAC and SUDO rules for legacy clients
Yes, it does. Thank you. On Mon, Apr 20, 2015 at 6:08 PM Srdjan Dutina sdut...@gmail.com wrote: Sorry for misunderstanding. I understand HBAC rules will not work for Centos 5. I just wanted to make sure disabling allow all rule and adding new HBAC rules won't interfere with AD users logging on Centos 5. On Mon, Apr 20, 2015 at 5:03 PM Alexander Bokovoy aboko...@redhat.com wrote: On Mon, 20 Apr 2015, Srdjan Dutina wrote: Just found in http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf the next sentence: If you have HBAC's allow_all rule disabled, you will need to allow system-auth service on the FreeIPA master, so that authentication of the AD users can be performed. Is this true for FreeIPA 4.1.0 also and how could I do this? Either you are reading it wrong or I don't get where you want to apply HBAC rules because this is for IPA masters, not legacy clients per se. Yes, you nede to create HBAC service named 'system-auth' and grant access to it to AD users on IPA masters, but all it will allow you is to authenticate AD users via compat tree. If your RHEL5 SSSD clients attempt to run own HBAC rule checks, AD users cannot be checked by those rules. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC and SUDO rules for legacy clients
On 04/20/2015 12:08 PM, Srdjan Dutina wrote: Sorry for misunderstanding. I understand HBAC rules will not work for Centos 5. I just wanted to make sure disabling allow all rule and adding new HBAC rules won't interfere with AD users logging on Centos 5. To clarify: CentOS 5 needs to point to compat tree for AD users to authenticate. You need to use LDAP SSSD back end for that not IPA SSSD back end (idenity_provider setting in sssd.conf). Once you use LDAP back end you need to use some other access control configuration not HBAC as HBAC comes when you use IPA SSSD back end only. You can use ldap filter or simple acces provider or something other option that is support in SSSD 1.5 against LDAP. Does this make sense? On Mon, Apr 20, 2015 at 5:03 PM Alexander Bokovoy aboko...@redhat.com mailto:aboko...@redhat.com wrote: On Mon, 20 Apr 2015, Srdjan Dutina wrote: Just found in http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf the next sentence: If you have HBAC's allow_all rule disabled, you will need to allow system-auth service on the FreeIPA master, so that authentication of the AD users can be performed. Is this true for FreeIPA 4.1.0 also and how could I do this? Either you are reading it wrong or I don't get where you want to apply HBAC rules because this is for IPA masters, not legacy clients per se. Yes, you nede to create HBAC service named 'system-auth' and grant access to it to AD users on IPA masters, but all it will allow you is to authenticate AD users via compat tree. If your RHEL5 SSSD clients attempt to run own HBAC rule checks, AD users cannot be checked by those rules. -- / Alexander Bokovoy -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC and SUDO rules for legacy clients
On Mon, 20 Apr 2015, Srdjan Dutina wrote: Thank for quick answer! If I disable HBAC rule, I can still login to Centos 5 client using IPA user, but not using AD user. Is there a workaround? I need allow_all disabled because of newer IPA clients. There is no workaround so far. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC and SUDO rules for legacy clients
Thank for quick answer! If I disable HBAC rule, I can still login to Centos 5 client using IPA user, but not using AD user. Is there a workaround? I need allow_all disabled because of newer IPA clients. On Mon, Apr 20, 2015 at 4:30 PM Alexander Bokovoy aboko...@redhat.com wrote: On Mon, 20 Apr 2015, Srdjan Dutina wrote: Hi, Testing FreeIPA 4.1.0 (Centos 7 (1503)) with AD 2012 R2 trust. For Centos 5.11 Client (SSSD 1.5.1), will HBAC and SUDO rules function? If yes, does this apply AD users also? SSSD 1.5.1 does not have SUDO support. HBAC support in 1.5.1 will mot likely not work with compat tree that is required for legacy clients to support AD users. I don't think this was even tested. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] HBAC and SUDO rules for legacy clients
Hi, Testing FreeIPA 4.1.0 (Centos 7 (1503)) with AD 2012 R2 trust. For Centos 5.11 Client (SSSD 1.5.1), will HBAC and SUDO rules function? If yes, does this apply AD users also? Thank you! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC and SUDO rules for legacy clients
On Mon, 20 Apr 2015, Srdjan Dutina wrote: Hi, Testing FreeIPA 4.1.0 (Centos 7 (1503)) with AD 2012 R2 trust. For Centos 5.11 Client (SSSD 1.5.1), will HBAC and SUDO rules function? If yes, does this apply AD users also? SSSD 1.5.1 does not have SUDO support. HBAC support in 1.5.1 will mot likely not work with compat tree that is required for legacy clients to support AD users. I don't think this was even tested. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC and SUDO rules for legacy clients
Just found in http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf the next sentence: If you have HBAC's allow_all rule disabled, you will need to allow system-auth service on the FreeIPA master, so that authentication of the AD users can be performed. Is this true for FreeIPA 4.1.0 also and how could I do this? On Mon, Apr 20, 2015 at 4:51 PM Alexander Bokovoy aboko...@redhat.com wrote: On Mon, 20 Apr 2015, Srdjan Dutina wrote: Thank for quick answer! If I disable HBAC rule, I can still login to Centos 5 client using IPA user, but not using AD user. Is there a workaround? I need allow_all disabled because of newer IPA clients. There is no workaround so far. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC and SUDO rules for legacy clients
On Mon, 20 Apr 2015, Srdjan Dutina wrote: Just found in http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf the next sentence: If you have HBAC's allow_all rule disabled, you will need to allow system-auth service on the FreeIPA master, so that authentication of the AD users can be performed. Is this true for FreeIPA 4.1.0 also and how could I do this? Either you are reading it wrong or I don't get where you want to apply HBAC rules because this is for IPA masters, not legacy clients per se. Yes, you nede to create HBAC service named 'system-auth' and grant access to it to AD users on IPA masters, but all it will allow you is to authenticate AD users via compat tree. If your RHEL5 SSSD clients attempt to run own HBAC rule checks, AD users cannot be checked by those rules. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC and SUDO rules for legacy clients
Sorry for misunderstanding. I understand HBAC rules will not work for Centos 5. I just wanted to make sure disabling allow all rule and adding new HBAC rules won't interfere with AD users logging on Centos 5. On Mon, Apr 20, 2015 at 5:03 PM Alexander Bokovoy aboko...@redhat.com wrote: On Mon, 20 Apr 2015, Srdjan Dutina wrote: Just found in http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf the next sentence: If you have HBAC's allow_all rule disabled, you will need to allow system-auth service on the FreeIPA master, so that authentication of the AD users can be performed. Is this true for FreeIPA 4.1.0 also and how could I do this? Either you are reading it wrong or I don't get where you want to apply HBAC rules because this is for IPA masters, not legacy clients per se. Yes, you nede to create HBAC service named 'system-auth' and grant access to it to AD users on IPA masters, but all it will allow you is to authenticate AD users via compat tree. If your RHEL5 SSSD clients attempt to run own HBAC rule checks, AD users cannot be checked by those rules. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
