Re: [Freeipa-users] HBAC rules don't work with PAM - problem
OK. I understand. Thank You for an answer. 2015-05-12 9:39 GMT+02:00 Jan Pazdziora jpazdzi...@redhat.com: On Mon, May 11, 2015 at 08:52:08PM +0200, Vangass wrote: OK. But the answer granted/declined comes from IPA. So why IPA doesn't check its own HBAC rules at all? Maybe the line 'account required pam_sss.so' isn't necessary/required. I just want to do authentication by IPA HBAC rules. Note that you can have setups when you don't authenticate via PAM at all (for example when using Kerberos) yet you do authorization (access control) using PAM. Authentication is not the correct place to process HBAC rules. In your case, nobody is arguing that the password used was correct -- authentication passed, the identity of the client was validated. The application (tacacs) is supposed to do additional step, now that it knows what user is attempting to log in -- verify authorization, fact that the known user should be allowed in, with pam_acct_mgmt. That's the why. You could in theory force it to work by writing a wrapper PAM module which would call both pam_sss's pam_sm_authenticate *and* pam_sm_acct_mgmt for its pam_sm_authenticate call. But it would be a hack, possibly with unexpected side effects. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC rules don't work with PAM - problem
On Mon, May 11, 2015 at 08:52:08PM +0200, Vangass wrote: OK. But the answer granted/declined comes from IPA. So why IPA doesn't check its own HBAC rules at all? Maybe the line 'account required pam_sss.so' isn't necessary/required. I just want to do authentication by IPA HBAC rules. Note that you can have setups when you don't authenticate via PAM at all (for example when using Kerberos) yet you do authorization (access control) using PAM. Authentication is not the correct place to process HBAC rules. In your case, nobody is arguing that the password used was correct -- authentication passed, the identity of the client was validated. The application (tacacs) is supposed to do additional step, now that it knows what user is attempting to log in -- verify authorization, fact that the known user should be allowed in, with pam_acct_mgmt. That's the why. You could in theory force it to work by writing a wrapper PAM module which would call both pam_sss's pam_sm_authenticate *and* pam_sm_acct_mgmt for its pam_sm_authenticate call. But it would be a hack, possibly with unexpected side effects. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC rules don't work with PAM - problem
Hi, I try to access Cisco switch via ssh. Cisco has tacacs login configured. # tail /var/log/secure May 11 14:18:46 freeipa tac_plus[29096]: pam_sss(tac_plus:auth): authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost= user=bartosz May 11 14:18:53 freeipa tac_plus[29096]: pam_sss(tac_plus:auth): authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost= user=test User bartosz is added in HBAC rule as Specified Users and Groups. User test exist in FreeIPA but isn't in HBAC rule and shouldn't be autheniticated. # cat /etc/sssd/sssd.conf [domain/test.example.com] debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = test.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = freeipa.test.example.com chpass_provider = ipa ipa_server = freeipa.test.example.com ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = test.example.com [nss] homedir_substring = /home [pam] debug_level = 6 domains = test.example.com [sudo] [autofs] [ssh] [pac] [ifp] #cat /var/log/sssd/sssd_pam.log (Mon May 11 14:40:28 2015) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected to privileged pipe! (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'test' matched without domain, user is test (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): service: tac_plus (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 29218 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): logon name: test (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f4f20215ed0:3:t...@test.example.com] (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [test.example.com][3][1][name=test] (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f4f20215ed0:3:t...@test.example.com] (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [t...@test.example.com] (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [t...@test.example.com] (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: test.example.com (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): service: tac_plus (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 29218 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): logon name: test (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f4f20215ed0:3:t...@test.example.com] (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][test.example.com] (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_reply] (0x0200):
Re: [Freeipa-users] HBAC rules don't work with PAM - problem
On Mon, May 11, 2015 at 01:57:38PM +0200, Jakub Hrozek wrote: On Mon, May 11, 2015 at 01:19:01PM +0200, Vangass wrote: Hello, I have a problem with HBAC rules with conjunction with PAM authentication. What I try to do is to authenticate users: tac_plus - PAM (pam_sssd) - FreeIPA. It works just fine but without checking HBAC rules. What I did: - disabled allow_all rule - created new rule with one user and one service (tac_plus) And then, if I try to authenticate another user which is not in above rule then authetication is accepted and this user gets logged in. In logs, what I didn't find is an information about checking HBAC rules... Of course, when I use HBAC Test then everything is correct - one user is granted and another is declined. # cat /etc/pam.d/tac_plus auth required pam_sss.so account required pam_sss.so If hbactest passes, then we need to see the logs, /var/log/secure and SSSD logs. Also the sssd.conf, please. Also, how did you configure that tac_plus PAM service should be used? How do you try to access the machine / service? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] HBAC rules don't work with PAM - problem
Hello, I have a problem with HBAC rules with conjunction with PAM authentication. What I try to do is to authenticate users: tac_plus - PAM (pam_sssd) - FreeIPA. It works just fine but without checking HBAC rules. What I did: - disabled allow_all rule - created new rule with one user and one service (tac_plus) And then, if I try to authenticate another user which is not in above rule then authetication is accepted and this user gets logged in. In logs, what I didn't find is an information about checking HBAC rules... Of course, when I use HBAC Test then everything is correct - one user is granted and another is declined. # cat /etc/pam.d/tac_plus auth required pam_sss.so account required pam_sss.so Did I miss something? Thanks, Bartek Witkowski -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC rules don't work with PAM - problem
On (11/05/15 14:57), Vangass wrote: Hi, I try to access Cisco switch via ssh. Cisco has tacacs login configured. # tail /var/log/secure May 11 14:18:46 freeipa tac_plus[29096]: pam_sss(tac_plus:auth): authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost= user=bartosz May 11 14:18:53 freeipa tac_plus[29096]: pam_sss(tac_plus:auth): authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost= user=test User bartosz is added in HBAC rule as Specified Users and Groups. User test exist in FreeIPA but isn't in HBAC rule and shouldn't be autheniticated. # cat /etc/sssd/sssd.conf [domain/test.example.com] debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = test.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = freeipa.test.example.com chpass_provider = ipa ipa_server = freeipa.test.example.com ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = test.example.com [nss] homedir_substring = /home [pam] debug_level = 6 domains = test.example.com [sudo] [autofs] [ssh] [pac] [ifp] #cat /var/log/sssd/sssd_pam.log (Mon May 11 14:40:28 2015) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected to privileged pipe! (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'test' matched without domain, user is test (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): service: tac_plus (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 29218 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): logon name: test (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f4f20215ed0:3:t...@test.example.com] (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [test.example.com][3][1][name=test] (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f4f20215ed0:3:t...@test.example.com] (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [t...@test.example.com] (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [t...@test.example.com] (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: test.example.com (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): service: tac_plus (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 29218 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): logon name: test (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f4f20215ed0:3:t...@test.example.com] (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][test.example.com] (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Mon May 11 14:40:28
Re: [Freeipa-users] HBAC rules don't work with PAM - problem
On Mon, May 11, 2015 at 05:15:31PM +0200, Sumit Bose wrote: On Mon, May 11, 2015 at 04:47:01PM +0200, Lukas Slebodnik wrote: On (11/05/15 14:57), Vangass wrote: Hi, I try to access Cisco switch via ssh. Cisco has tacacs login configured. # tail /var/log/secure May 11 14:18:46 freeipa tac_plus[29096]: pam_sss(tac_plus:auth): authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost= user=bartosz May 11 14:18:53 freeipa tac_plus[29096]: pam_sss(tac_plus:auth): authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost= user=test User bartosz is added in HBAC rule as Specified Users and Groups. User test exist in FreeIPA but isn't in HBAC rule and shouldn't be autheniticated. # cat /etc/sssd/sssd.conf [domain/test.example.com] debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = test.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = freeipa.test.example.com chpass_provider = ipa ipa_server = freeipa.test.example.com ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = test.example.com [nss] homedir_substring = /home [pam] debug_level = 6 domains = test.example.com [sudo] [autofs] [ssh] [pac] [ifp] #cat /var/log/sssd/sssd_pam.log (Mon May 11 14:40:28 2015) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected to privileged pipe! (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'test' matched without domain, user is test (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): service: tac_plus (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 29218 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): logon name: test (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f4f20215ed0:3:t...@test.example.com] (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [test.example.com][3][1][name=test] (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f4f20215ed0:3:t...@test.example.com] (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [t...@test.example.com] (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [t...@test.example.com] (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: test.example.com (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): service: tac_plus (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 29218 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): logon name: test (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_req_destructor]
Re: [Freeipa-users] HBAC rules don't work with PAM - problem
OK. But the answer granted/declined comes from IPA. So why IPA doesn't check its own HBAC rules at all? Maybe the line 'account required pam_sss.so' isn't necessary/required. I just want to do authentication by IPA HBAC rules. Thanks, Bartek. 2015-05-11 17:22 GMT+02:00 Sumit Bose sb...@redhat.com: On Mon, May 11, 2015 at 05:15:31PM +0200, Sumit Bose wrote: On Mon, May 11, 2015 at 04:47:01PM +0200, Lukas Slebodnik wrote: On (11/05/15 14:57), Vangass wrote: Hi, I try to access Cisco switch via ssh. Cisco has tacacs login configured. # tail /var/log/secure May 11 14:18:46 freeipa tac_plus[29096]: pam_sss(tac_plus:auth): authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost= user=bartosz May 11 14:18:53 freeipa tac_plus[29096]: pam_sss(tac_plus:auth): authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost= user=test User bartosz is added in HBAC rule as Specified Users and Groups. User test exist in FreeIPA but isn't in HBAC rule and shouldn't be autheniticated. # cat /etc/sssd/sssd.conf [domain/test.example.com] debug_level = 6 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = test.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = freeipa.test.example.com chpass_provider = ipa ipa_server = freeipa.test.example.com ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = test.example.com [nss] homedir_substring = /home [pam] debug_level = 6 domains = test.example.com [sudo] [autofs] [ssh] [pac] [ifp] #cat /var/log/sssd/sssd_pam.log (Mon May 11 14:40:28 2015) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected to privileged pipe! (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'test' matched without domain, user is test (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): service: tac_plus (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 29218 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): logon name: test (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f4f20215ed0:3:t...@test.example.com] (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [test.example.com][3][1][name=test] (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f4f20215ed0:3:t...@test.example.com] (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [t...@test.example.com] (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [t...@test.example.com] (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: test.example.com (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): service: tac_plus (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Mon May 11 14:40:28 2015) [sssd[pam]]
Re: [Freeipa-users] HBAC rules don't work with PAM - problem
On Mon, 11 May 2015, Vangass wrote: OK. But the answer granted/declined comes from IPA. So why IPA doesn't check its own HBAC rules at all? Maybe the line 'account required pam_sss.so' isn't necessary/required. I just want to do authentication by IPA HBAC rules. Authentication and account management stages are different in PAM. When authentication is performed, it is separate step. When account management is performed, it is a separate step as well. HBAC rules are checked at account management stage because this is where all such checks are done traditionally in PAM. If you read documentation[1], it states: === The pam_acct_mgmt function is used to determine if the users account is valid. It checks for authentication token and account expiration and verifies access restrictions. It is typically called after the user has been authenticated. === If application doesn't call into pam_acct_mgmt, it is not using PAM stack separation of duties properly. [1] http://linux.die.net/man/3/pam_acct_mgmt -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
