Re: [Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1

On Fri, Mar 17, 2017 at 08:35:42AM +1100, Lachlan Musicman wrote: > Which logs do you want from the server? NSS and domain -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1

Which logs do you want from the server? -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 16 March 2017 at 20:09, Jakub Hrozek wrote: > On Thu, Mar 16, 2017 at 07:56:58PM +1100, Lachlan Musicman wrote: > > Yes. What I do would you like? Cur

Re: [Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1

On Thu, Mar 16, 2017 at 07:56:58PM +1100, Lachlan Musicman wrote: > Yes. What I do would you like? Current debug levels are at 8 Logs and id output from the server and the client at the same time.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/lis

Re: [Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1

Yes. What I do would you like? Current debug levels are at 8 L. On 16 Mar. 2017 7:06 pm, "Jakub Hrozek" wrote: > On Thu, Mar 16, 2017 at 11:36:57AM +1100, Lachlan Musicman wrote: > > I'm experiencing issues with HBAC and I think it's a bug in sssd. Not > sure > > if better to report to here or

Re: [Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1

On Thu, Mar 16, 2017 at 11:36:57AM +1100, Lachlan Musicman wrote: > I'm experiencing issues with HBAC and I think it's a bug in sssd. Not sure > if better to report to here or sssd mailing list. Also sssd in pagure is > bare and I didn't want to sully the blank slate. ( > https://pagure.io/sssd/is

[Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1

I'm experiencing issues with HBAC and I think it's a bug in sssd. Not sure if better to report to here or sssd mailing list. Also sssd in pagure is bare and I didn't want to sully the blank slate. ( https://pagure.io/sssd/issues ) The details: env: CentOS 7.3, FreeIPA 4.4, sssd 1.15.1 from COPR

[Freeipa-users] HBAC trust groups inconsistent

Hello, I have been testing Freeipa since 4.2 and am very impressed overall. A pending issue I have not been able to resolve is getting HBAC to work consistently. I’m limited to an AD-trust scenario where AD groups are mapped to Posix groups. While ‘id user@domain’ will return all groups for new

Re: [Freeipa-users] HBAC Troubleshooting (IPA 4.2)

icman" Cc: "freeipa-users" Sent: Tuesday, November 1, 2016 7:04:45 PM Subject: Re: [Freeipa-users] HBAC Troubleshooting (IPA 4.2) Jake, I've seen this behaviour and am still struggling to find a solution. The version of underlying OS and sssd are useful to know fwiw

Re: [Freeipa-users] HBAC Troubleshooting (IPA 4.2)

Jake, I've seen this behaviour and am still struggling to find a solution. The version of underlying OS and sssd are useful to know fwiw. To trouble shoot HBAC: - in *target machine* sssd.conf, add debug_level=7 to each stanza (can go as high as 9, but I believe 7 will be sufficient) - restar

[Freeipa-users] HBAC Troubleshooting (IPA 4.2)

Hey All, I'm having some issues tracing HBAC policies, it seems whenever I disable the allow_all policy, I'm no longer able to access services I have allowed in my more-specific hbac policy. What are the troubleshooting steps (logs) I can run on the client to see what is being denied and by w

Re: [Freeipa-users] HBAC rules stop working

On Thu, Sep 29, 2016 at 07:51:14PM -0600, Orion Poplawski wrote: > server: > ipa-server-4.2.0-15.sl7_2.19.x86_64 > sssd-1.13.0-40.el7_2.12.x86_64 > > client: > sssd-1.14.1-3.el7.centos.x86_64 > > AD trust - users are in AD. HBAC rule in place for client to allow a user > to login/ssh/su/etc. >

[Freeipa-users] HBAC rules stop working

server: ipa-server-4.2.0-15.sl7_2.19.x86_64 sssd-1.13.0-40.el7_2.12.x86_64 client: sssd-1.14.1-3.el7.centos.x86_64 AD trust - users are in AD. HBAC rule in place for client to allow a user to login/ssh/su/etc. This seems to have happened a couple times now, and again today after rebooting t

Re: [Freeipa-users] HBAC doesn't work issues

(redface) It seems to be working. Thanks -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 20 September 2016 at 09:57, Lachlan Musicman wrote: > We have one "allow all" sudo rule (anyone, any host, any command). > > Matching Defaults ent

Re: [Freeipa-users] HBAC doesn't work issues

We have one "allow all" sudo rule (anyone, any host, any command). Matching Defaults entries for root on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRE

Re: [Freeipa-users] HBAC doesn't work issues

On (19/09/16 16:43), Lachlan Musicman wrote: >I must have made an error again: > >- ipa hbactest gives seemingly correct answer on both server and client >- user can't actually use sudo on client? > >Centos 7, freeipa 4.2.o/2.156; sssd 1.14.1 from COPR > >>From the server: > >[root@vmdv-linuxidm1 ~

[Freeipa-users] HBAC doesn't work issues

I must have made an error again: - ipa hbactest gives seemingly correct answer on both server and client - user can't actually use sudo on client? Centos 7, freeipa 4.2.o/2.156; sssd 1.14.1 from COPR >From the server: [root@vmdv-linuxidm1 ~]# ipa hbactest --user=lsimp...@petermac.org.au --host=

Re: [Freeipa-users] HBAC and AD users

Sure - I've got tomorrow off, so it will be Friday morning. cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 20 July 2016 at 17:14, Jakub Hrozek wrote: > On Wed, Jul 20, 2016 at 09:28:06AM +1000, Lachlan Musicman wrote: > > On 1

Re: [Freeipa-users] HBAC and AD users

On Wed, Jul 20, 2016 at 09:28:06AM +1000, Lachlan Musicman wrote: > On 19 July 2016 at 16:40, Jakub Hrozek wrote: > > > On Tue, Jul 19, 2016 at 11:26:02AM +1000, Lachlan Musicman wrote: > > > I think the thing that frustrates the most is that id u...@domain.com is > > > returning correct data on

Re: [Freeipa-users] HBAC and AD users

On 19 July 2016 at 16:40, Jakub Hrozek wrote: > On Tue, Jul 19, 2016 at 11:26:02AM +1000, Lachlan Musicman wrote: > > I think the thing that frustrates the most is that id u...@domain.com is > > returning correct data on both but they can't loginand I can't even > > show that this is the case

Re: [Freeipa-users] HBAC and AD users

On Tue, Jul 19, 2016 at 11:26:02AM +1000, Lachlan Musicman wrote: > I think the thing that frustrates the most is that id u...@domain.com is > returning correct data on both but they can't loginand I can't even > show that this is the case because now they can login. Difficult to > reproduce :/

Re: [Freeipa-users] HBAC and AD users

I think the thing that frustrates the most is that id u...@domain.com is returning correct data on both but they can't loginand I can't even show that this is the case because now they can login. Difficult to reproduce :/ -- The most dangerous phrase in the language is, "We've always done

Re: [Freeipa-users] HBAC and AD users

Ok, the bad news is that it didn't last. We are still having the same problem - HBAC is rejecting users because not all jobs are being discovered on the host. I turned the debug_level up to 10 as requested, but to be honest, it's impossible to find anything in the logs because it's so verbose - su

Re: [Freeipa-users] HBAC and AD users

On Mon, Jul 18, 2016 at 09:17:06AM +1000, Lachlan Musicman wrote: > Previously we did have the default_domain_suffix set, but we had to unset > it. I can't remember why we had to - something to do with > ownership/permissions and our filesystem (IBM v7000) not playing nice iirc. > We really wanted

Re: [Freeipa-users] HBAC and AD users

Previously we did have the default_domain_suffix set, but we had to unset it. I can't remember why we had to - something to do with ownership/permissions and our filesystem (IBM v7000) not playing nice iirc. We really wanted to use the dds => the researchers are complaining of broken brains due to

Re: [Freeipa-users] HBAC and AD users

On Fri, Jul 15, 2016 at 01:07:00PM +1000, Lachlan Musicman wrote: > I've updated all the relevant hosts and the FreeIPA server to the COPR sssd > 1.14.0 release and the problem seems to have disappeared. Great, but please keep an eye on the machine, the 1.14 branch is still kindof fresh and we did

Re: [Freeipa-users] HBAC and AD users

I've updated all the relevant hosts and the FreeIPA server to the COPR sssd 1.14.0 release and the problem seems to have disappeared. Cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 15 July 2016 at 10:09, Lachlan Musicman wrote:

Re: [Freeipa-users] HBAC and AD users

AH. I'm seeing a lot of this now. hbac_eval_user_element is returning the wrong number of groups. I just found another instance in my logs : (Fri Jul 15 08:39:04 2016) [sssd[be[unix.petermac.org.au]]] [hbac_eval_user_element] (0x1000): [23] groups for [SimpsonLachlan] IPA server [root@vmpr-lin

Re: [Freeipa-users] HBAC and AD users

On 14 July 2016 at 17:44, Sumit Bose wrote: > On Thu, Jul 14, 2016 at 11:47:41AM +1000, Lachlan Musicman wrote: > > Ok, I have some logs of sssd 1.13.0 not working. Same values as before: > > > > FreeIPA server: Centos 7, ipa 4.2, API_VERSION 2.156 > > > > Installed Packages > > Name: ipa

Re: [Freeipa-users] HBAC and AD users

On Thu, Jul 14, 2016 at 11:47:41AM +1000, Lachlan Musicman wrote: > Ok, I have some logs of sssd 1.13.0 not working. Same values as before: > > FreeIPA server: Centos 7, ipa 4.2, API_VERSION 2.156 > > Installed Packages > Name: ipa-server > Arch: x86_64 > Version : 4.2.0 > Rel

Re: [Freeipa-users] HBAC and AD users

Ok, I have some logs of sssd 1.13.0 not working. Same values as before: FreeIPA server: Centos 7, ipa 4.2, API_VERSION 2.156 Installed Packages Name: ipa-server Arch: x86_64 Version : 4.2.0 Release : 15.0.1.el7.centos.17 Size: 5.0 M Repo: installed >From re

Re: [Freeipa-users] HBAC and AD users

On Tue, Jul 12, 2016 at 09:08:01AM +1000, Lachlan Musicman wrote: > Alex, Sumit, > > Which log levels would you recommend for sssd to help debug this issue? > > We've been using 7, but I just realised that it's not an increasing scale > but bitmasked... It is both 0-9 is increasing scale while v

Re: [Freeipa-users] HBAC and AD users

Alex, Sumit, Which log levels would you recommend for sssd to help debug this issue? We've been using 7, but I just realised that it's not an increasing scale but bitmasked... cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 11

Re: [Freeipa-users] HBAC and AD users

On Mon, Jul 11, 2016 at 04:55:37PM +1000, Lachlan Musicman wrote: > On 11 July 2016 at 16:44, Alexander Bokovoy wrote: > > > On Mon, 11 Jul 2016, Lachlan Musicman wrote: > > > >> Hola, > >> > >> Centos 7, up to date. > >> > >> [root@linuxidm ~]# ipa --version > >> VERSION: 4.2.0, API_VERSION: 2.1

Re: [Freeipa-users] HBAC and AD users

On 11 July 2016 at 16:44, Alexander Bokovoy wrote: > On Mon, 11 Jul 2016, Lachlan Musicman wrote: > >> Hola, >> >> Centos 7, up to date. >> >> [root@linuxidm ~]# ipa --version >> VERSION: 4.2.0, API_VERSION: 2.156 >> >> One way trust is successfully established, can login with >> >> ssh usern...@

Re: [Freeipa-users] HBAC and AD users

On Mon, 11 Jul 2016, Lachlan Musicman wrote: Hola, Centos 7, up to date. [root@linuxidm ~]# ipa --version VERSION: 4.2.0, API_VERSION: 2.156 One way trust is successfully established, can login with ssh usern...@domain1.com@server1.domain2.com Am testing to get HBAC to work. I've noticed th

[Freeipa-users] HBAC and AD users

Hola, Centos 7, up to date. [root@linuxidm ~]# ipa --version VERSION: 4.2.0, API_VERSION: 2.156 One way trust is successfully established, can login with ssh usern...@domain1.com@server1.domain2.com Am testing to get HBAC to work. I've noticed that with the Allow All rule in effect, the follo

Re: [Freeipa-users] HBAC rules for NFS

Hi Alexander, Thanks for the link. I read through it again, and I am still stuck on the rpcgss service on the server...I don't know how to properly restart it. The service in the documents is service nfs-secure-server enable (FC16), or rpcsvcgssd.service (RH7), but I cannot enable using those. I

Re: [Freeipa-users] HBAC rules for NFS

On Fri, 01 Jul 2016, Joanna Delaporte wrote: I am having trouble using NFSv4 via krb5 on my new IPA realm, and I am starting to wonder if I don't have HBAC rules set up correctly. I installed freeIPA with --no_hbac_allow. I have an HBAC service defined as an nfs service: $ ipa hbacsvc-add --des

[Freeipa-users] HBAC rules for NFS

I am having trouble using NFSv4 via krb5 on my new IPA realm, and I am starting to wonder if I don't have HBAC rules set up correctly. I installed freeIPA with --no_hbac_allow. I have an HBAC service defined as an nfs service: $ ipa hbacsvc-add --desc="NFS service" nfs I have an HBAC rule that a

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

a-users@redhat.com > > Subject: Re: [Freeipa-users] HBAC access denied, all AD groups not detected > > > > On Wed, May 18, 2016 at 08:35:14AM +1000, Lachlan Musicman wrote: > > > Hmmm, I also now see > > > > > > https://fedorahosted.org/sssd/tick

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Jakub Hrozek > Sent: Wednesday, 18 May 2016 5:40 PM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] HBAC access denied, all AD groups no

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

On Wed, 18 May 2016, Jakub Hrozek wrote: On Wed, May 18, 2016 at 08:35:14AM +1000, Lachlan Musicman wrote: Hmmm, I also now see https://fedorahosted.org/sssd/ticket/2642 and https://bugzilla.redhat.com/show_bug.cgi?id=1217127 Versions being run: sssd-client-1.13.0-40.el7_2.4.x86_64 sssd-ad-1.

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

On Wed, May 18, 2016 at 08:35:14AM +1000, Lachlan Musicman wrote: > Hmmm, I also now see > > https://fedorahosted.org/sssd/ticket/2642 > and > https://bugzilla.redhat.com/show_bug.cgi?id=1217127 > > Versions being run: > > sssd-client-1.13.0-40.el7_2.4.x86_64 > sssd-ad-1.13.0-40.el7_2.4.x86_64 >

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

On Wed, May 18, 2016 at 09:46:49AM +1000, Lachlan Musicman wrote: > It's worth noting that, in difference to the bug report: > > 1. We aren't making changes to the overrides. The overrides exist, they > just aren't propagating evenly or consistently. > 2. We are seeing these errors in the various

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

It's worth noting that, in difference to the bug report: 1. We aren't making changes to the overrides. The overrides exist, they just aren't propagating evenly or consistently. 2. We are seeing these errors in the various logs: sssd_DOMAIN.log:(Wed May 18 09:00:01 2016) [sssd[be[DOMAIN]]] [sysdb

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

Hmmm, I also now see https://fedorahosted.org/sssd/ticket/2642 and https://bugzilla.redhat.com/show_bug.cgi?id=1217127 Versions being run: sssd-client-1.13.0-40.el7_2.4.x86_64 sssd-ad-1.13.0-40.el7_2.4.x86_64 sssd-proxy-1.13.0-40.el7_2.4.x86_64 sssd-1.13.0-40.el7_2.4.x86_64 sssd-common-1.13.0-40

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

On Tue, May 17, 2016 at 03:08:37PM +1000, Lachlan Musicman wrote: > FWIW, > > We are seeing the issues that are described here: > > https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html > > I was about to write when I found this, it explains exactly what I am > seeing - right

[Freeipa-users] HBAC access denied, all AD groups not detected

FWIW, We are seeing the issues that are described here: https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html I was about to write when I found this, it explains exactly what I am seeing - right down to the "impossible to reproduce because it's so (seemingly) random". I am

Re: [Freeipa-users] HBAC with Active directory group is not working

and here is my sssd debug log from client side http://pastebin.com/ud2q3FR5 On Sat, Apr 30, 2016 at 10:06 AM, Ben .T.George wrote: > Hi > > Adding this this. > > in AD i habe added 2 users , ben and jude. In my HBAC rule, i pointed this > specific external group and (were these users) > > but w

Re: [Freeipa-users] HBAC with Active directory group is not working

Hi Adding this this. in AD i habe added 2 users , ben and jude. In my HBAC rule, i pointed this specific external group and (were these users) but while checking the rule from IPA server using hbactest, both users test passes and showing one rol. but in actual only ben can able to login to clien

Re: [Freeipa-users] HBAC with Active directory group is not working

surprisingly i have created some local IPA users and added to same HBAC rule, and removed AD grop ad applied this rule to client, and that got worked. How can i make this AD group with HBAC working? Regards, Ben On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George wrote: > HI > > If i disable allow_

Re: [Freeipa-users] HBAC with Active directory group is not working

HI If i disable allow_all rule, i cannot able to login to client machine. On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George wrote: > HI > > actually i have added Domain Admins and the user ben is not part of Domain > Admins. But when i login to client

Re: [Freeipa-users] HBAC with Active directory group is not working

HI actually i have added Domain Admins and the user ben is not part of Domain Admins. But when i login to client machine, i am getting below -sh-4.2$ id uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw) groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain us...@kw

Re: [Freeipa-users] HBAC with Active directory group is not working

HI while explaning here it went wrong. actually i did is" Added external group to POSIX group" On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek wrote: > On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: > > HI, > > > > "The other is that the groups might not show up on the client (do

Re: [Freeipa-users] HBAC with Active directory group is not working

On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: > HI, > > "The other is that the groups might not show up on the client (do they?)" id $user. But I think Alexander noticed the root cause. > > how can i check that. > > Thanks > Ben > > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hro

Re: [Freeipa-users] HBAC with Active directory group is not working

Hi I have created 2 fresh users now and i was running below, [root@freeipa log]# ipa hbactest --user "KWTTESTDC\jude" --host `hostname` --service sshd ipa: ERROR: trusted domain user not found [root@freeipa log]# ipa hbactest --user "KWTTESTDC\muneer" --host `hostname` --service sshd ipa: ERROR:

Re: [Freeipa-users] HBAC with Active directory group is not working

Hi Alex, yea my mistake. i was following u this http://www.freeipa.org/page/Active_Directory_trust_setup#Allow_access_for_users_from_AD_domain_to_protected_resources On Fri, Apr 29, 2016 at 6:03 PM, Alexander Bokovoy wrote: > On Fri, 29 Apr 2016, Ben .T.George wrote: > >> Hi List, >> >> I h

Re: [Freeipa-users] HBAC with Active directory group is not working

HI, "The other is that the groups might not show up on the client (do they?)" how can i check that. Thanks Ben On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek wrote: > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: > > Hi List, > > > > I have working setup of one AD, one IPA ser

Re: [Freeipa-users] HBAC with Active directory group is not working

On Fri, 29 Apr 2016, Ben .T.George wrote: Hi List, I have working setup of one AD, one IPA server and one client server. by default i can login to client server by using AD username. i want to apply HBAC rules against this client server. For that i have done below steps. 1. created External gr

Re: [Freeipa-users] HBAC with Active directory group is not working

On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: > Hi List, > > I have working setup of one AD, one IPA server and one client server. by > default i can login to client server by using AD username. > > i want to apply HBAC rules against this client server. For that i have done > bel

[Freeipa-users] HBAC with Active directory group is not working

Hi List, I have working setup of one AD, one IPA server and one client server. by default i can login to client server by using AD username. i want to apply HBAC rules against this client server. For that i have done below steps. 1. created External group in IPA erver 2. created local POSIX grou

Re: [Freeipa-users] HBAC implementation help

On 29.04.2016 13:27, Ben .T.George wrote: HI Thanks for your reply. can i do this external group mapping from web UI? You can create External Group using webUI (user groups/ add group/ choose external radio button) More doc about HBAC: https://access.redhat.com/documentation/en-US/Red_H

Re: [Freeipa-users] HBAC implementation help

HI Thanks for your reply. can i do this external group mapping from web UI? On Fri, Apr 29, 2016 at 10:50 AM, Jakub Hrozek wrote: > On Fri, Apr 29, 2016 at 12:03:42AM +0300, Ben .T.George wrote: > > Hi List, > > > > i have a working setup of IPA with AD integrated and one client joined. > > >

Re: [Freeipa-users] HBAC implementation help

On Fri, Apr 29, 2016 at 12:03:42AM +0300, Ben .T.George wrote: > Hi List, > > i have a working setup of IPA with AD integrated and one client joined. > > i want to implement HBAC rules against this client. can anyone please share > me good articles of implementing HBAC from web UI. I'm not sure

[Freeipa-users] HBAC implementation help

Hi List, i have a working setup of IPA with AD integrated and one client joined. i want to implement HBAC rules against this client. can anyone please share me good articles of implementing HBAC from web UI. Thanks & Regards, Ben -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

On Tue, Dec 08, 2015 at 04:10:42PM -0600, Sauls, Jeff wrote: > > Jakub Hrozek wrote: > > > > On Mon, Dec 07, 2015 at 02:04:26PM -0600, Sauls, Jeff wrote: > > > > Jakub Hrozek wrote: > > > > > > > > On Fri, Dec 04, 2015 at 02:03:04PM -0600, Sauls, Jeff wrote: > > > > > Hello, > > > > > > > > > > We

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

> Jakub Hrozek wrote: > > On Mon, Dec 07, 2015 at 02:04:26PM -0600, Sauls, Jeff wrote: > > > Jakub Hrozek wrote: > > > > > > On Fri, Dec 04, 2015 at 02:03:04PM -0600, Sauls, Jeff wrote: > > > > Hello, > > > > > > > > We are having a problem with HBAC that appears to be related to > > > > group mem

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

On Mon, Dec 07, 2015 at 02:04:26PM -0600, Sauls, Jeff wrote: > > Jakub Hrozek wrote: > > > > On Fri, Dec 04, 2015 at 02:03:04PM -0600, Sauls, Jeff wrote: > > > Hello, > > > > > > We are having a problem with HBAC that appears to be related to group > > > membership lookup. I am testing with a new

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

> Jakub Hrozek wrote: > > On Fri, Dec 04, 2015 at 02:03:04PM -0600, Sauls, Jeff wrote: > > Hello, > > > > We are having a problem with HBAC that appears to be related to group > > membership lookup. I am testing with a new install on RHEL 7.2 with a > > cross-forest trust with AD. When an AD use

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

On Fri, Dec 04, 2015 at 02:03:04PM -0600, Sauls, Jeff wrote: > Hello, > > We are having a problem with HBAC that appears to be related to group > membership lookup. I am testing with a new install on RHEL 7.2 with a > cross-forest trust with AD. When an AD user attempts to log into a client > (R

[Freeipa-users] HBAC access denied, all AD groups not detected

Hello, We are having a problem with HBAC that appears to be related to group membership lookup. I am testing with a new install on RHEL 7.2 with a cross-forest trust with AD. When an AD user attempts to log into a client (RH 6.7 or 7.2) the "hbac_eval_user_element" can report a different numb

Re: [Freeipa-users] HBAC - Limit SSH access to "test" systems

On Mon, 30 Nov 2015, Alexander Skwar wrote: Hello Alexander ;) 2015-11-30 10:38 GMT+01:00 Alexander Bokovoy : HBAC is enforced by SSSD over PAM. All you need to ensure is that an application (sshd in this case) uses PAM. Then you setup HBAC rules, disable allow_all rule, and then SSSD will ver

Re: [Freeipa-users] HBAC - Limit SSH access to "test" systems

On Mon, Nov 30, 2015 at 11:18:15AM +0100, Alexander Skwar wrote: > > Hm, okay. But when I deactivate the "allow_all" rule, doesn't that also > change the "default" behaviour? I mean, by default, everything will > be allowed for everyone on every system. No. > When I deactivate the allow_all - wo

Re: [Freeipa-users] HBAC - Limit SSH access to "test" systems

Hello Alexander ;) 2015-11-30 10:38 GMT+01:00 Alexander Bokovoy : > HBAC is enforced by SSSD over PAM. All you need to ensure is that an > application (sshd in this case) uses PAM. Then you setup HBAC rules, > disable allow_all rule, and then SSSD will verify rules on logon via > sshd, checking a

Re: [Freeipa-users] HBAC - Limit SSH access to "test" systems

On Mon, 30 Nov 2015, Alexander Skwar wrote: Hello I'm trying to setup our FreeIPA 4.1.0 (RHEL 7) servers with Ubuntu 14.04 FreeIPA 3.3.4 clients so, that users in a user group called "customers" can only access hosts, which are in a host group called "test". Users from the user group "ops" shoul

[Freeipa-users] HBAC - Limit SSH access to "test" systems

Hello I'm trying to setup our FreeIPA 4.1.0 (RHEL 7) servers with Ubuntu 14.04 FreeIPA 3.3.4 clients so, that users in a user group called "customers" can only access hosts, which are in a host group called "test". Users from the user group "ops" should be able to access all systems (ie. "prod" sy

Re: [Freeipa-users] hbac service allowed despite not listed

On Tue, 24 Nov 2015, Winfried de Heiden wrote: Hi all, The problem is clear, there is a misunderstanding of the service "su" and "su-l", this is about the target users. Hence; su - to user winfried is allowed since su and su-l are added to the hbac service list of this user. This looks a b

Re: [Freeipa-users] hbac service allowed despite not listed

Hi all, The problem is clear, there is a misunderstanding of the service "su" and "su-l", this is about the target users. Hence; su - to user winfried is allowed since su and su-l are added to the hbac service list of this user. This looks a bit strange from the ui perspective, all other HB

Re: [Freeipa-users] hbac service allowed despite not listed

On Tue, Nov 24, 2015 at 12:58:42PM +0100, Winfried de Heiden wrote: > Hi all, > > [winfried@ipa ~]$ ipa hbacrule-show allow_all > Rule name: allow_all > User category: all > Host category: all > Service category: all > Description: Allow all users to access any host from any host > Ena

Re: [Freeipa-users] hbac service allowed despite not listed

On Tue, Nov 24, 2015 at 11:10:11AM +0100, Winfried de Heiden wrote: >Hi all, > >Running as an ordinary user, straight from the beginning. > >Is the (default) suid of/usr/bin/su causing this? >  >Anyway: the info requested: > >/var/log/secure will tell: >Nov 24 11:04:1

Re: [Freeipa-users] hbac service allowed despite not listed

On Tue, Nov 24, 2015 at 11:10:11AM +0100, Winfried de Heiden wrote: >Hi all, > >Running as an ordinary user, straight from the beginning. > >Is the (default) suid of/usr/bin/su causing this? >  >Anyway: the info requested: > >/var/log/secure will tell: >Nov 24 11:04:1

Re: [Freeipa-users] hbac service allowed despite not listed

Hi all, Running as an ordinary user, straight from the beginning. Is the (default) suid of/usr/bin/su causing this?   Anyway: the info requested: /var/log/secure will tell: Nov 24 11:04:11 fedora23-server su: pam_systemd(su:sessio

Re: [Freeipa-users] hbac service allowed despite not listed

On Tue, Nov 24, 2015 at 10:25:11AM +0100, Winfried de Heiden wrote: >Hi all, > >sss_debuglevel 6; in /var/log/sss/sssd_pam.log > >Running as "testuser" crond is denied; perfecr since it is not listed in >the HBAC services. > >[testuser@fedora23-server ~]$ crontab -l >You

Re: [Freeipa-users] hbac service allowed despite not listed

Hi all, sss_debuglevel 6; in /var/log/sss/sssd_pam.log Running as "testuser" crond is denied; perfecr since it is not listed in the HBAC services. [testuser@fedora23-server ~]$ crontab -l You (testuser) are not allowed to access t

Re: [Freeipa-users] hbac service allowed despite not listed

On Mon, Nov 23, 2015 at 05:16:26PM +0100, Jakub Hrozek wrote: > On Mon, Nov 23, 2015 at 04:55:31PM +0100, Winfried de Heiden wrote: > >Hi all, > > > >I created some hbac rule on freeipa-server 4.1.4 on Fedora 22 > > > ># ipa hbacrule-show testuser > >  Rule name: testuser > > 

Re: [Freeipa-users] hbac service allowed despite not listed

On Mon, Nov 23, 2015 at 04:55:31PM +0100, Winfried de Heiden wrote: >Hi all, > >I created some hbac rule on freeipa-server 4.1.4 on Fedora 22 > ># ipa hbacrule-show testuser >  Rule name: testuser >  Enabled: TRUE >  Users: testuser >  Hosts: fedora23-server.blabla.bla

[Freeipa-users] hbac service allowed despite not listed

Hi all, I created some hbac rule on freeipa-server 4.1.4 on Fedora 22 # ipa hbacrule-show testuser   Rule name: testuser   Enabled: TRUE   Users: testuser   Hosts: fedora23-server.blabla.bla   Services: sshd Hence, " te

Re: [Freeipa-users] HBAC

On 10/1/2015 12:04 PM, Simo Sorce wrote: On 30/09/15 21:22, TomK wrote: On 9/30/2015 8:12 AM, Martin Kosek wrote: On 09/30/2015 07:50 AM, Alexander Bokovoy wrote: On Tue, 29 Sep 2015, TomK wrote: Hey Guy's, (Sending this again as I didn't have this email included in the freeipa-users mai

Re: [Freeipa-users] HBAC

On 30/09/15 21:22, TomK wrote: On 9/30/2015 8:12 AM, Martin Kosek wrote: On 09/30/2015 07:50 AM, Alexander Bokovoy wrote: On Tue, 29 Sep 2015, TomK wrote: Hey Guy's, (Sending this again as I didn't have this email included in the freeipa-users mailing list so not sure if the other message w

Re: [Freeipa-users] HBAC

On 9/30/2015 8:12 AM, Martin Kosek wrote: On 09/30/2015 07:50 AM, Alexander Bokovoy wrote: On Tue, 29 Sep 2015, TomK wrote: Hey Guy's, (Sending this again as I didn't have this email included in the freeipa-users mailing list so not sure if the other message will get posted.) Before I post

Re: [Freeipa-users] HBAC

On 09/30/2015 07:50 AM, Alexander Bokovoy wrote: > On Tue, 29 Sep 2015, TomK wrote: >> Hey Guy's, >> >> (Sending this again as I didn't have this email included in the freeipa-users >> mailing list so not sure if the other message will get posted.) >> >> Before I post a ticket to RH Support for an

Re: [Freeipa-users] HBAC

On Tue, 29 Sep 2015, TomK wrote: Hey Guy's, (Sending this again as I didn't have this email included in the freeipa-users mailing list so not sure if the other message will get posted.) Before I post a ticket to RH Support for an RFE, I'll post the request here to get some feedback on optio

[Freeipa-users] HBAC

Hey Guy's, (Sending this again as I didn't have this email included in the freeipa-users mailing list so not sure if the other message will get posted.) Before I post a ticket to RH Support for an RFE, I'll post the request here to get some feedback on options and what ideas folks have. I'v

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

-users Sent: Saturday, August 15, 2015 10:46 AM Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients For Solaris we are using the pam_list module to control which LDAP users can have system access. The pam_list module allow netgroups to be listed in a user.allow file. On

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

if I can.   From: Jakub Hrozek To: Martin Kosek Cc: Freeipa-users Sent: Wednesday, August 19, 2015 12:23 AM Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients On Tue, Aug 18, 2015 at 09:05:14PM +0200, Martin Kosek wrote: > On 08/15/2015 07:05 PM, Natxo Ase

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

On Tue, Aug 18, 2015 at 09:05:14PM +0200, Martin Kosek wrote: > On 08/15/2015 07:05 PM, Natxo Asenjo wrote: > > > > > >On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden >> wrote: > > > >sipazzo wrote: > > > > > >and my users are able to authenticate to the dir

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

On 08/15/2015 07:05 PM, Natxo Asenjo wrote: On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden mailto:rcrit...@redhat.com>> wrote: sipazzo wrote: and my users are able to authenticate to the directory but the hbac rules are not being applied. Any user whether given access or

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients For Solaris we are using the pam_list module to control which LDAP users can have system access. The pam_list module allow netgroups to be listed in a user.allow file. On Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo wrote

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

For Solaris we are using the pam_list module to control which LDAP users can have system access. The pam_list module allow netgroups to be listed in a user.allow file. On Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo wrote: > > > On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden > wrote: > >> sipazz

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden wrote: > sipazzo wrote: > >> >> and my users are able to authenticate to the directory but the hbac >> rules are not being applied. Any user whether given access or not can >> login to the Solaris systems. The "allow-all" rule has been disabled, my

  1   2   >