Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-13 Thread Vangass
OK. I understand.
Thank You for an answer.


2015-05-12 9:39 GMT+02:00 Jan Pazdziora jpazdzi...@redhat.com:

 On Mon, May 11, 2015 at 08:52:08PM +0200, Vangass wrote:
  OK. But the answer granted/declined comes from IPA. So why IPA doesn't
  check its own HBAC rules at all?
  Maybe the line 'account  required  pam_sss.so' isn't
  necessary/required. I just want to do authentication by IPA HBAC rules.

 Note that you can have setups when you don't authenticate via PAM
 at all (for example when using Kerberos) yet you do authorization
 (access control) using PAM. Authentication is not the correct place to
 process HBAC rules.

 In your case, nobody is arguing that the password used was correct --
 authentication passed, the identity of the client was validated. The
 application (tacacs) is supposed to do additional step, now that it
 knows what user is attempting to log in -- verify authorization, fact
 that the known user should be allowed in, with pam_acct_mgmt.

 That's the why.

 You could in theory force it to work by writing a wrapper PAM module
 which would call both pam_sss's pam_sm_authenticate *and*
 pam_sm_acct_mgmt for its pam_sm_authenticate call. But it would be
 a hack, possibly with unexpected side effects.

 --
 Jan Pazdziora
 Senior Principal Software Engineer, Identity Management Engineering, Red
 Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-12 Thread Jan Pazdziora
On Mon, May 11, 2015 at 08:52:08PM +0200, Vangass wrote:
 OK. But the answer granted/declined comes from IPA. So why IPA doesn't
 check its own HBAC rules at all?
 Maybe the line 'account  required  pam_sss.so' isn't
 necessary/required. I just want to do authentication by IPA HBAC rules.

Note that you can have setups when you don't authenticate via PAM
at all (for example when using Kerberos) yet you do authorization
(access control) using PAM. Authentication is not the correct place to
process HBAC rules.

In your case, nobody is arguing that the password used was correct --
authentication passed, the identity of the client was validated. The
application (tacacs) is supposed to do additional step, now that it
knows what user is attempting to log in -- verify authorization, fact
that the known user should be allowed in, with pam_acct_mgmt.

That's the why.

You could in theory force it to work by writing a wrapper PAM module
which would call both pam_sss's pam_sm_authenticate *and*
pam_sm_acct_mgmt for its pam_sm_authenticate call. But it would be
a hack, possibly with unexpected side effects.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-11 Thread Vangass
Hi,

I try to access Cisco switch via ssh. Cisco has tacacs login configured.

# tail /var/log/secure
May 11 14:18:46 freeipa tac_plus[29096]: pam_sss(tac_plus:auth):
authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost=
user=bartosz
May 11 14:18:53 freeipa tac_plus[29096]: pam_sss(tac_plus:auth):
authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost=
user=test

User bartosz is added in HBAC rule as Specified Users and Groups.
User test exist in FreeIPA but isn't in HBAC rule and shouldn't be
autheniticated.

# cat /etc/sssd/sssd.conf
[domain/test.example.com]
debug_level = 6
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = test.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = freeipa.test.example.com
chpass_provider = ipa
ipa_server = freeipa.test.example.com
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = test.example.com

[nss]
homedir_substring = /home

[pam]
debug_level = 6
domains = test.example.com

[sudo]

[autofs]

[ssh]

[pac]

[ifp]


#cat /var/log/sssd/sssd_pam.log
(Mon May 11 14:40:28 2015) [sssd[pam]] [accept_fd_handler] (0x0400): Client
connected to privileged pipe!
(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200):
Received client version [3].
(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200):
Offered version [3].
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_cmd_authenticate] (0x0100):
entering pam_cmd_authenticate
(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): name 'test' matched without domain, user is test
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): domain:
not set
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): service:
tac_plus
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not
set
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost:
not set
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok
type: 1
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
29218
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): logon
name: test
(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x7f4f20215ed0:3:t...@test.example.com]
(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_get_account_msg] (0x0400):
Creating request for [test.example.com][3][1][name=test]
(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x7f4f20215ed0:3:t...@test.example.com]
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search] (0x0100):
Requesting info for [t...@test.example.com]
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search] (0x0400):
Returning info for user [t...@test.example.com]
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
request with the following data:
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): domain:
test.example.com
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): service:
tac_plus
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not
set
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost:
not set
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok
type: 1
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
29218
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): logon
name: test
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x7f4f20215ed0:3:t...@test.example.com]
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100):
received: [0][test.example.com]
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply
called with result [0].
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply
called with result [0].
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_reply] (0x0200): 

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-11 Thread Jakub Hrozek
On Mon, May 11, 2015 at 01:19:01PM +0200, Vangass wrote:
 Hello,
 
 I have a problem with HBAC rules with conjunction with PAM authentication.
 What I try to do is to authenticate users: tac_plus - PAM (pam_sssd) -
 FreeIPA.
 It works just fine but without checking HBAC rules.
 What I did:
 - disabled allow_all rule
 - created new rule with one user and one service (tac_plus)
 And then, if I try to authenticate another user which is not in above rule
 then authetication is accepted and this user gets logged in.
 In logs, what I didn't find is an information about checking HBAC rules...
 Of course, when I use HBAC Test then everything is correct - one user is
 granted and another is declined.
 
 # cat /etc/pam.d/tac_plus
 auth required  pam_sss.so
 account  required  pam_sss.so

If hbactest passes, then we need to see the logs, /var/log/secure and
SSSD logs. Also the sssd.conf, please.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-11 Thread Jan Pazdziora
On Mon, May 11, 2015 at 01:57:38PM +0200, Jakub Hrozek wrote:
 On Mon, May 11, 2015 at 01:19:01PM +0200, Vangass wrote:
  Hello,
  
  I have a problem with HBAC rules with conjunction with PAM authentication.
  What I try to do is to authenticate users: tac_plus - PAM (pam_sssd) -
  FreeIPA.
  It works just fine but without checking HBAC rules.
  What I did:
  - disabled allow_all rule
  - created new rule with one user and one service (tac_plus)
  And then, if I try to authenticate another user which is not in above rule
  then authetication is accepted and this user gets logged in.
  In logs, what I didn't find is an information about checking HBAC rules...
  Of course, when I use HBAC Test then everything is correct - one user is
  granted and another is declined.
  
  # cat /etc/pam.d/tac_plus
  auth required  pam_sss.so
  account  required  pam_sss.so
 
 If hbactest passes, then we need to see the logs, /var/log/secure and
 SSSD logs. Also the sssd.conf, please.

Also, how did you configure that tac_plus PAM service should be used?
How do you try to access the machine / service?

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


[Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-11 Thread Vangass
Hello,

I have a problem with HBAC rules with conjunction with PAM authentication.
What I try to do is to authenticate users: tac_plus - PAM (pam_sssd) -
FreeIPA.
It works just fine but without checking HBAC rules.
What I did:
- disabled allow_all rule
- created new rule with one user and one service (tac_plus)
And then, if I try to authenticate another user which is not in above rule
then authetication is accepted and this user gets logged in.
In logs, what I didn't find is an information about checking HBAC rules...
Of course, when I use HBAC Test then everything is correct - one user is
granted and another is declined.

# cat /etc/pam.d/tac_plus
auth required  pam_sss.so
account  required  pam_sss.so


Did I miss something?
Thanks,
Bartek Witkowski
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-11 Thread Sumit Bose
On Mon, May 11, 2015 at 04:47:01PM +0200, Lukas Slebodnik wrote:
 On (11/05/15 14:57), Vangass wrote:
 Hi,
 
 I try to access Cisco switch via ssh. Cisco has tacacs login configured.
 
 # tail /var/log/secure
 May 11 14:18:46 freeipa tac_plus[29096]: pam_sss(tac_plus:auth):
 authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost=
 user=bartosz
 May 11 14:18:53 freeipa tac_plus[29096]: pam_sss(tac_plus:auth):
 authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost=
 user=test
 
 User bartosz is added in HBAC rule as Specified Users and Groups.
 User test exist in FreeIPA but isn't in HBAC rule and shouldn't be
 autheniticated.
 
 # cat /etc/sssd/sssd.conf
 [domain/test.example.com]
 debug_level = 6
 cache_credentials = True
 krb5_store_password_if_offline = True
 ipa_domain = test.example.com
 id_provider = ipa
 auth_provider = ipa
 access_provider = ipa
 ipa_hostname = freeipa.test.example.com
 chpass_provider = ipa
 ipa_server = freeipa.test.example.com
 ipa_server_mode = True
 ldap_tls_cacert = /etc/ipa/ca.crt
 
 [sssd]
 services = nss, sudo, pam, ssh
 config_file_version = 2
 domains = test.example.com
 
 [nss]
 homedir_substring = /home
 
 [pam]
 debug_level = 6
 domains = test.example.com
 
 [sudo]
 
 [autofs]
 
 [ssh]
 
 [pac]
 
 [ifp]
 
 
 #cat /var/log/sssd/sssd_pam.log
 (Mon May 11 14:40:28 2015) [sssd[pam]] [accept_fd_handler] (0x0400): Client
 connected to privileged pipe!
 (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200):
 Received client version [3].
 (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200):
 Offered version [3].
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_cmd_authenticate] (0x0100):
 entering pam_cmd_authenticate
 (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_parse_name_for_domains]
 (0x0200): name 'test' matched without domain, user is test
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): command:
 PAM_AUTHENTICATE
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): domain:
 not set
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): service:
 tac_plus
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not
 set
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser:
 not set
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost:
 not set
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok
 type: 1
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 newauthtok type: 0
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
 29218
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): logon
 name: test
 (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400):
 Issuing request for [0x7f4f20215ed0:3:t...@test.example.com]
 (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_get_account_msg] (0x0400):
 Creating request for [test.example.com][3][1][name=test]
 (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400):
 Entering request [0x7f4f20215ed0:3:t...@test.example.com]
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search] (0x0100):
 Requesting info for [t...@test.example.com]
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search] (0x0400):
 Returning info for user [t...@test.example.com]
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
 request with the following data:
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): command:
 PAM_AUTHENTICATE
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): domain:
 test.example.com
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): service:
 tac_plus
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not
 set
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser:
 not set
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost:
 not set
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok
 type: 1
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 newauthtok type: 0
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
 29218
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): logon
 name: test
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100):
 pam_dp_send_req returned 0
 (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400):
 Deleting request: [0x7f4f20215ed0:3:t...@test.example.com]
 (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100):
 received: [0][test.example.com]
 (Mon May 11 14:40:28 

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-11 Thread Lukas Slebodnik
On (11/05/15 14:57), Vangass wrote:
Hi,

I try to access Cisco switch via ssh. Cisco has tacacs login configured.

# tail /var/log/secure
May 11 14:18:46 freeipa tac_plus[29096]: pam_sss(tac_plus:auth):
authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost=
user=bartosz
May 11 14:18:53 freeipa tac_plus[29096]: pam_sss(tac_plus:auth):
authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost=
user=test

User bartosz is added in HBAC rule as Specified Users and Groups.
User test exist in FreeIPA but isn't in HBAC rule and shouldn't be
autheniticated.

# cat /etc/sssd/sssd.conf
[domain/test.example.com]
debug_level = 6
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = test.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = freeipa.test.example.com
chpass_provider = ipa
ipa_server = freeipa.test.example.com
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = test.example.com

[nss]
homedir_substring = /home

[pam]
debug_level = 6
domains = test.example.com

[sudo]

[autofs]

[ssh]

[pac]

[ifp]


#cat /var/log/sssd/sssd_pam.log
(Mon May 11 14:40:28 2015) [sssd[pam]] [accept_fd_handler] (0x0400): Client
connected to privileged pipe!
(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200):
Received client version [3].
(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200):
Offered version [3].
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_cmd_authenticate] (0x0100):
entering pam_cmd_authenticate
(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): name 'test' matched without domain, user is test
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): domain:
not set
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): service:
tac_plus
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not
set
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost:
not set
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok
type: 1
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
29218
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): logon
name: test
(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x7f4f20215ed0:3:t...@test.example.com]
(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_get_account_msg] (0x0400):
Creating request for [test.example.com][3][1][name=test]
(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x7f4f20215ed0:3:t...@test.example.com]
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search] (0x0100):
Requesting info for [t...@test.example.com]
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search] (0x0400):
Returning info for user [t...@test.example.com]
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
request with the following data:
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): command:
PAM_AUTHENTICATE
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): domain:
test.example.com
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): service:
tac_plus
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not
set
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost:
not set
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok
type: 1
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
29218
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): logon
name: test
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x7f4f20215ed0:3:t...@test.example.com]
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100):
received: [0][test.example.com]
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply
called with result [0].
(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply
called with result [0].
(Mon May 11 14:40:28 

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-11 Thread Sumit Bose
On Mon, May 11, 2015 at 05:15:31PM +0200, Sumit Bose wrote:
 On Mon, May 11, 2015 at 04:47:01PM +0200, Lukas Slebodnik wrote:
  On (11/05/15 14:57), Vangass wrote:
  Hi,
  
  I try to access Cisco switch via ssh. Cisco has tacacs login configured.
  
  # tail /var/log/secure
  May 11 14:18:46 freeipa tac_plus[29096]: pam_sss(tac_plus:auth):
  authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost=
  user=bartosz
  May 11 14:18:53 freeipa tac_plus[29096]: pam_sss(tac_plus:auth):
  authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost=
  user=test
  
  User bartosz is added in HBAC rule as Specified Users and Groups.
  User test exist in FreeIPA but isn't in HBAC rule and shouldn't be
  autheniticated.
  
  # cat /etc/sssd/sssd.conf
  [domain/test.example.com]
  debug_level = 6
  cache_credentials = True
  krb5_store_password_if_offline = True
  ipa_domain = test.example.com
  id_provider = ipa
  auth_provider = ipa
  access_provider = ipa
  ipa_hostname = freeipa.test.example.com
  chpass_provider = ipa
  ipa_server = freeipa.test.example.com
  ipa_server_mode = True
  ldap_tls_cacert = /etc/ipa/ca.crt
  
  [sssd]
  services = nss, sudo, pam, ssh
  config_file_version = 2
  domains = test.example.com
  
  [nss]
  homedir_substring = /home
  
  [pam]
  debug_level = 6
  domains = test.example.com
  
  [sudo]
  
  [autofs]
  
  [ssh]
  
  [pac]
  
  [ifp]
  
  
  #cat /var/log/sssd/sssd_pam.log
  (Mon May 11 14:40:28 2015) [sssd[pam]] [accept_fd_handler] (0x0400): Client
  connected to privileged pipe!
  (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200):
  Received client version [3].
  (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200):
  Offered version [3].
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_cmd_authenticate] (0x0100):
  entering pam_cmd_authenticate
  (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_parse_name_for_domains]
  (0x0200): name 'test' matched without domain, user is test
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): command:
  PAM_AUTHENTICATE
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): domain:
  not set
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): user: 
  test
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): service:
  tac_plus
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not
  set
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser:
  not set
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost:
  not set
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok
  type: 1
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
  newauthtok type: 0
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
  29218
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): logon
  name: test
  (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400):
  Issuing request for [0x7f4f20215ed0:3:t...@test.example.com]
  (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_get_account_msg] (0x0400):
  Creating request for [test.example.com][3][1][name=test]
  (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400):
  Entering request [0x7f4f20215ed0:3:t...@test.example.com]
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search] (0x0100):
  Requesting info for [t...@test.example.com]
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search] (0x0400):
  Returning info for user [t...@test.example.com]
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
  request with the following data:
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): command:
  PAM_AUTHENTICATE
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): domain:
  test.example.com
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): user: 
  test
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): service:
  tac_plus
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not
  set
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser:
  not set
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost:
  not set
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok
  type: 1
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
  newauthtok type: 0
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
  29218
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): logon
  name: test
  (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100):
  pam_dp_send_req returned 0
  (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_req_destructor] 

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-11 Thread Vangass
OK. But the answer granted/declined comes from IPA. So why IPA doesn't
check its own HBAC rules at all?
Maybe the line 'account  required  pam_sss.so' isn't
necessary/required. I just want to do authentication by IPA HBAC rules.

Thanks,
Bartek.

2015-05-11 17:22 GMT+02:00 Sumit Bose sb...@redhat.com:

 On Mon, May 11, 2015 at 05:15:31PM +0200, Sumit Bose wrote:
  On Mon, May 11, 2015 at 04:47:01PM +0200, Lukas Slebodnik wrote:
   On (11/05/15 14:57), Vangass wrote:
   Hi,
   
   I try to access Cisco switch via ssh. Cisco has tacacs login
 configured.
   
   # tail /var/log/secure
   May 11 14:18:46 freeipa tac_plus[29096]: pam_sss(tac_plus:auth):
   authentication success; logname=bartosz uid=0 euid=0 tty= ruser=
 rhost=
   user=bartosz
   May 11 14:18:53 freeipa tac_plus[29096]: pam_sss(tac_plus:auth):
   authentication success; logname=bartosz uid=0 euid=0 tty= ruser=
 rhost=
   user=test
   
   User bartosz is added in HBAC rule as Specified Users and Groups.
   User test exist in FreeIPA but isn't in HBAC rule and shouldn't be
   autheniticated.
   
   # cat /etc/sssd/sssd.conf
   [domain/test.example.com]
   debug_level = 6
   cache_credentials = True
   krb5_store_password_if_offline = True
   ipa_domain = test.example.com
   id_provider = ipa
   auth_provider = ipa
   access_provider = ipa
   ipa_hostname = freeipa.test.example.com
   chpass_provider = ipa
   ipa_server = freeipa.test.example.com
   ipa_server_mode = True
   ldap_tls_cacert = /etc/ipa/ca.crt
   
   [sssd]
   services = nss, sudo, pam, ssh
   config_file_version = 2
   domains = test.example.com
   
   [nss]
   homedir_substring = /home
   
   [pam]
   debug_level = 6
   domains = test.example.com
   
   [sudo]
   
   [autofs]
   
   [ssh]
   
   [pac]
   
   [ifp]
   
   
   #cat /var/log/sssd/sssd_pam.log
   (Mon May 11 14:40:28 2015) [sssd[pam]] [accept_fd_handler] (0x0400):
 Client
   connected to privileged pipe!
   (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200):
   Received client version [3].
   (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200):
   Offered version [3].
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_cmd_authenticate]
 (0x0100):
   entering pam_cmd_authenticate
   (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_parse_name_for_domains]
   (0x0200): name 'test' matched without domain, user is test
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 command:
   PAM_AUTHENTICATE
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 domain:
   not set
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 user: test
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 service:
   tac_plus
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 tty: not
   set
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 ruser:
   not set
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 rhost:
   not set
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 authtok
   type: 1
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
   newauthtok type: 0
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 priv: 1
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 cli_pid:
   29218
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 logon
   name: test
   (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_issue_request]
 (0x0400):
   Issuing request for [0x7f4f20215ed0:3:t...@test.example.com]
   (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_get_account_msg]
 (0x0400):
   Creating request for [test.example.com][3][1][name=test]
   (Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_internal_get_send]
 (0x0400):
   Entering request [0x7f4f20215ed0:3:t...@test.example.com]
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search]
 (0x0100):
   Requesting info for [t...@test.example.com]
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search]
 (0x0400):
   Returning info for user [t...@test.example.com]
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dp_send_req] (0x0100):
 Sending
   request with the following data:
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 command:
   PAM_AUTHENTICATE
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 domain:
   test.example.com
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 user: test
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 service:
   tac_plus
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 tty: not
   set
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 ruser:
   not set
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 rhost:
   not set
   (Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100):
 authtok
   type: 1
   (Mon May 11 14:40:28 2015) [sssd[pam]] 

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-11 Thread Alexander Bokovoy

On Mon, 11 May 2015, Vangass wrote:

OK. But the answer granted/declined comes from IPA. So why IPA doesn't
check its own HBAC rules at all?
Maybe the line 'account  required  pam_sss.so' isn't
necessary/required. I just want to do authentication by IPA HBAC rules.

Authentication and account management stages are different in PAM. When
authentication is performed, it is separate step. When account
management is performed, it is a separate step as well.

HBAC rules are checked at account management stage because this is where
all such checks are done traditionally in PAM. If you read
documentation[1], it states:
===
The pam_acct_mgmt function is used to determine if the users account is
valid. It checks for authentication token and account expiration and
verifies access restrictions. It is typically called after the user has
been authenticated.
===

If application doesn't call into pam_acct_mgmt, it is not using PAM
stack separation of duties properly.

[1] http://linux.die.net/man/3/pam_acct_mgmt

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project