[Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?
I have put 3 clients into a netgroup and added a user, however when I remove the user from the netgroup the user can still login! Even if the user wasnt ever in teh netgroup they can login So how do I stop that? When will we see some documentation on doing user admin tasks like this? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?
On Jun 13, 2011, at 4:43 PM, Steven Jones wrote: I have put 3 clients into a netgroup and added a user, however when I remove the user from the netgroup the user can still login! Even if the user wasnt ever in teh netgroup they can login So how do I stop that? When will we see some documentation on doing user admin tasks like this? Have a look at this: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?
Hi, Ive seen/read it.and I have a hard copy on my desk in front of me right now I find it typical of such documents, it has lots of sections in great detail but it doesnt tell you how to achieve anything end to endand often its gives you written instructions on visual tasks so if you are not in the right bit of the gui you go nowhere.So it needs far more screenshots and wizards regards From: JR Aquino [jr.aqu...@citrix.com] Sent: Tuesday, 14 June 2011 11:53 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? On Jun 13, 2011, at 4:43 PM, Steven Jones wrote: I have put 3 clients into a netgroup and added a user, however when I remove the user from the netgroup the user can still login! Even if the user wasnt ever in teh netgroup they can login So how do I stop that? When will we see some documentation on doing user admin tasks like this? Have a look at this: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?
1) Create an HBAC Rule or rules: choose allow or deny 2) add users/usergroups to the rule 3) add hosts/hostgroups to the rule 4) disable the default 'allow all' rule Now any system that has SSSD 1.5 will enforce those HBAC rules. For systems that do not support sssd, I have been working on a proof of concept authorization module for HBAC written in python. -JR On Jun 13, 2011, at 5:32 PM, Steven Jones wrote: Hi, Ive seen/read it.and I have a hard copy on my desk in front of me right now I find it typical of such documents, it has lots of sections in great detail but it doesnt tell you how to achieve anything end to endand often its gives you written instructions on visual tasks so if you are not in the right bit of the gui you go nowhere.So it needs far more screenshots and wizards regards From: JR Aquino [jr.aqu...@citrix.com] Sent: Tuesday, 14 June 2011 11:53 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? On Jun 13, 2011, at 4:43 PM, Steven Jones wrote: I have put 3 clients into a netgroup and added a user, however when I remove the user from the netgroup the user can still login! Even if the user wasnt ever in teh netgroup they can login So how do I stop that? When will we see some documentation on doing user admin tasks like this? Have a look at this: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?
Hmm, So whats the default rule? can i set precedence? is there any? Example. So Ive disabled the allow_all rule, I made a deny_all rule and then a rule to allow specific user groups to login to specific hostgroups serversthat didnt work... So I disabled the deny_all rule and users in the specific group can login to the specific server, and if I remove them from the user group they cannot login, so OK good BUT the trouble is a second user that is in no groups at all can also login to the servers, which shouldn't occur...or at least I odnt want that to occur...so something is set incorrectly. Is there a way to suck out the HBAC rules or whatever info for the user at the command line? I certainly cant find why that second user can login, it should not be able to, but it can. regards From: JR Aquino [jr.aqu...@citrix.com] Sent: Tuesday, 14 June 2011 1:10 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? 1) Create an HBAC Rule or rules: choose allow or deny 2) add users/usergroups to the rule 3) add hosts/hostgroups to the rule 4) disable the default 'allow all' rule Now any system that has SSSD 1.5 will enforce those HBAC rules. For systems that do not support sssd, I have been working on a proof of concept authorization module for HBAC written in python. -JR On Jun 13, 2011, at 5:32 PM, Steven Jones wrote: Hi, Ive seen/read it.and I have a hard copy on my desk in front of me right now I find it typical of such documents, it has lots of sections in great detail but it doesnt tell you how to achieve anything end to endand often its gives you written instructions on visual tasks so if you are not in the right bit of the gui you go nowhere.So it needs far more screenshots and wizards regards From: JR Aquino [jr.aqu...@citrix.com] Sent: Tuesday, 14 June 2011 11:53 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? On Jun 13, 2011, at 4:43 PM, Steven Jones wrote: I have put 3 clients into a netgroup and added a user, however when I remove the user from the netgroup the user can still login! Even if the user wasnt ever in teh netgroup they can login So how do I stop that? When will we see some documentation on doing user admin tasks like this? Have a look at this: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?
Steven Jones wrote: Hmm, So whats the default rule? can i set precedence? is there any? The default rule is deny. Example. So Ive disabled the allow_all rule, I made a deny_all rule and then a rule to allow specific user groups to login to specific hostgroups serversthat didnt work... So I disabled the deny_all rule and users in the specific group can login to the specific server, and if I remove them from the user group they cannot login, so OK good BUT the trouble is a second user that is in no groups at all can also login to the servers, which shouldn't occur...or at least I odnt want that to occur...so something is set incorrectly. Is there a way to suck out the HBAC rules or whatever info for the user at the command line? I certainly cant find why that second user can login, it should not be able to, but it can. regards It is currently very easy to create bad HBAC rules. The only real way to test them is to crank up the debug level in sssd and watch the logs. We and the sssd team are in the process of writing a utility where you can simulate a rule execution and get feedback on how the rule will work (or if pieces are missing). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?
Just to add on the advice, not to detract, On Tue, 2011-06-14 at 01:10 +, JR Aquino wrote: 1) Create an HBAC Rule or rules: choose allow or deny Do yourself a favor and never use deny rules, they are there if you *really* need them, but you do not want to use them if you can avoid them :) 2) add users/usergroups to the rule 3) add hosts/hostgroups to the rule 4) disable the default 'allow all' rule Remember that by default if a user isn't explicitly allowed the behavior of HBAC is to deny (that's why we have a default allow_all rule) Now any system that has SSSD 1.5 will enforce those HBAC rules. And if it doesn't we really want to know as it is going to be a security issue. Simo. For systems that do not support sssd, I have been working on a proof of concept authorization module for HBAC written in python. -JR On Jun 13, 2011, at 5:32 PM, Steven Jones wrote: Hi, Ive seen/read it.and I have a hard copy on my desk in front of me right now I find it typical of such documents, it has lots of sections in great detail but it doesnt tell you how to achieve anything end to endand often its gives you written instructions on visual tasks so if you are not in the right bit of the gui you go nowhere.So it needs far more screenshots and wizards regards From: JR Aquino [jr.aqu...@citrix.com] Sent: Tuesday, 14 June 2011 11:53 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts? On Jun 13, 2011, at 4:43 PM, Steven Jones wrote: I have put 3 clients into a netgroup and added a user, however when I remove the user from the netgroup the user can still login! Even if the user wasnt ever in teh netgroup they can login So how do I stop that? When will we see some documentation on doing user admin tasks like this? Have a look at this: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
