[Freeipa-users] Re: sftp HBAC

2023-05-16 Thread Kevin Vasko via FreeIPA-users
Rob, do you by chance maybe have sshd and sftp in your "Via Services" permissions? If I have the sshd service enabled in my "Via services" then "sftp" works for me as well, but it's still under the hood authenticating with sshd even though I am trying to connect with the "sftp" command. "pam_sss"

[Freeipa-users] Re: sftp HBAC

2023-05-16 Thread Kevin Vasko via FreeIPA-users
Thanks Rob. ipa hbactest --user testaccount --host testsystem.example.com --service sftp Access granted: True ipa hbactest --user testaccount --host testsystem.example.com --service sshd Access granted: False So the HBAC works from FreeIPA...however

[Freeipa-users] Re: sftp HBAC

2023-05-16 Thread Rob Crittenden via FreeIPA-users
Kevin Vasko via FreeIPA-users wrote: > Try to make this simple. > > Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a > server. > > Have the "Via Service" set to "sshd". The user can ssh into the server > no issue. > > I want to limit this user to only being able to sftp

[Freeipa-users] Re: sftp HBAC

2023-05-16 Thread Ahti Seier via FreeIPA-users
I don't think this can be done easily The way pam works is the program (sshd in this case) starts the pam context with a specific name. Looking at sshd source it seems this is __progname for sshd which should be the basename of the executable. There does not seem to be a separate authentication

[Freeipa-users] sftp HBAC

2023-05-16 Thread Kevin Vasko via FreeIPA-users
Try to make this simple. Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a server. Have the "Via Service" set to "sshd". The user can ssh into the server no issue. I want to limit this user to only being able to sftp into this server (no direct ssh). If I swap the "Via

[Freeipa-users] New primary rid range overlaps with existing primary rid range

2023-05-16 Thread Andreas Binapfl via FreeIPA-users
Greetings, we also upgraded to RHEL9.2 and got the auth problems. following the advice here i wanted to use "ipa config-mod --enable-sid --add-sids" but unfortunately i get an error in /etc/messages ERR - ipa_range_check_pre_op - [file ipa_range_check.c, line 670]: New primary rid range

[Freeipa-users] Re: IDView problem

2023-05-16 Thread Ronald Wimmer via FreeIPA-users
On 15.05.23 10:34, Florence Blanc-Renaud wrote: Hi, On Fri, May 12, 2023 at 5:47 PM Ronald Wimmer > wrote: On 12.05.23 11:35, Florence Blanc-Renaud via FreeIPA-users wrote: > Hi, > > can you provide more details? Did you use the "Default Trust View"

[Freeipa-users] Re: IPA filters not working

2023-05-16 Thread Florence Blanc-Renaud via FreeIPA-users
Hi, On Mon, May 15, 2023 at 10:34 PM Omar Pagan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > [root @ ldap01] ~ > $ ipa hbactest --user gr031529 --host deepcore-bastion.uaap.maxar.com > --service ssh > The issue looks like a simple typo. Here the test is using *ssh*