Re: [Freeipa-users] Active Directory users are not controlled by HBAC
On Wed, Jan 27, 2016 at 06:53:43PM +, Birnbaum, Warren (ETW) wrote: > I started this post with a simple question: ³is it possible to have HBAC > work with AD authenticated users². I was not able from the tips provided > to get any further with this. > > What I have not been able to have addressed is, if there are no HBAC > rules, there should be no access, or if there is no Allow_Access rule, no > one should be able to login to any system. Currently with this said > configuration, everyone has access to every system. My pam stack is > exactly as recommended. Is there someone who has FreeIPA with active > directory authenticated users and HBAC working? I don¹t have trust > defined with AD but authentication is working fine. The HBAC checks are done by SSSD. If there are issues SSSD logs would help to identify the reason. Please see https://fedorahosted.org/sssd/wiki/Troubleshooting for details. With respect to HBAC the sssd_pam.log and sssd_your.domain.log are the most important. Setting debug_level=10 in the [pam] and [domain/...] section of sssd.conf should produce the most details. Feel free to send the logs to me directly if you think they may disclose too many details of your environment on a public mailing-list. HTH bye, Sumit > > >From the following link: > https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-gro > ups.html > It says in the second paragraph: > > "However, Active Directory users cannot be added directly to FreeIPA user > groups. This means that Active Directory users require special > configuration in order to access FreeIPA domain resources." > > There is then a procedure given to create user groups that work with HBAC. > I don¹t see how this work help me since adding a user to a group could > only be used to further allow access to systems, but already have total > access to all systems by all users. > > Thanks for your help! > > Warren > > > > > > > On 1/25/16, 2:47 PM, "Alexander Bokovoy" wrote: > > >On Mon, 25 Jan 2016, Birnbaum, Warren (ETW) wrote: > >>OK. I have done this and am using the pam stack that is the result of > >>what you here describe. > >> > >>A few threads back you mentioned that this could be a reason why my hbac > >>are not restricting access. I have no hbac rules currently and any > >>active > >>directory user can access any host. Is there something else I could look > >>at to see why this is happening? > >https://fedorahosted.org/sssd/wiki/Troubleshooting is your friend. > > > >-- > >/ Alexander Bokovoy > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Active Directory users are not controlled by HBAC
On Wed, 27 Jan 2016, Birnbaum, Warren (ETW) wrote: I started this post with a simple question: ³is it possible to have HBAC work with AD authenticated users². I was not able from the tips provided to get any further with this. Have you tried to read actual documentation? From your attempts it looks like you never read https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#idp1105760 What I have not been able to have addressed is, if there are no HBAC rules, there should be no access, or if there is no Allow_Access rule, no one should be able to login to any system. Currently with this said configuration, everyone has access to every system. My pam stack is exactly as recommended. Is there someone who has FreeIPA with active directory authenticated users and HBAC working? I don¹t have trust defined with AD but authentication is working fine. Please use official documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#trust-groups -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Active Directory users are not controlled by HBAC
I started this post with a simple question: ³is it possible to have HBAC work with AD authenticated users². I was not able from the tips provided to get any further with this. What I have not been able to have addressed is, if there are no HBAC rules, there should be no access, or if there is no Allow_Access rule, no one should be able to login to any system. Currently with this said configuration, everyone has access to every system. My pam stack is exactly as recommended. Is there someone who has FreeIPA with active directory authenticated users and HBAC working? I don¹t have trust defined with AD but authentication is working fine. >From the following link: https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-gro ups.html It says in the second paragraph: "However, Active Directory users cannot be added directly to FreeIPA user groups. This means that Active Directory users require special configuration in order to access FreeIPA domain resources." There is then a procedure given to create user groups that work with HBAC. I don¹t see how this work help me since adding a user to a group could only be used to further allow access to systems, but already have total access to all systems by all users. Thanks for your help! Warren On 1/25/16, 2:47 PM, "Alexander Bokovoy" wrote: >On Mon, 25 Jan 2016, Birnbaum, Warren (ETW) wrote: >>OK. I have done this and am using the pam stack that is the result of >>what you here describe. >> >>A few threads back you mentioned that this could be a reason why my hbac >>are not restricting access. I have no hbac rules currently and any >>active >>directory user can access any host. Is there something else I could look >>at to see why this is happening? >https://fedorahosted.org/sssd/wiki/Troubleshooting is your friend. > >-- >/ Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Active Directory users are not controlled by HBAC
On Mon, 25 Jan 2016, Birnbaum, Warren (ETW) wrote: OK. I have done this and am using the pam stack that is the result of what you here describe. A few threads back you mentioned that this could be a reason why my hbac are not restricting access. I have no hbac rules currently and any active directory user can access any host. Is there something else I could look at to see why this is happening? https://fedorahosted.org/sssd/wiki/Troubleshooting is your friend. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Active Directory users are not controlled by HBAC
OK. I have done this and am using the pam stack that is the result of what you here describe. A few threads back you mentioned that this could be a reason why my hbac are not restricting access. I have no hbac rules currently and any active directory user can access any host. Is there something else I could look at to see why this is happening? Thanks. ___ Warren Birnbaum : Infrastructure Services Web Automation Engineer Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697 On 1/25/16, 2:11 PM, "Alexander Bokovoy" wrote: >On Mon, 25 Jan 2016, Birnbaum, Warren (ETW) wrote: >>Thanks Alexander. Is there a place where there are example pam stacks >>that work with active directory and hbac? >Defaults in RHEL/Fedora should be enough: > - install RHEL/Fedora, > - apply ipa-client-install, > >then you get proper setup. That's what is tested and supported. > >ipa-client-install would run authconfig utility with correct parameters >to set PAM stack properly. > >-- >/ Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Active Directory users are not controlled by HBAC
On Mon, 25 Jan 2016, Birnbaum, Warren (ETW) wrote: Thanks Alexander. Is there a place where there are example pam stacks that work with active directory and hbac? Defaults in RHEL/Fedora should be enough: - install RHEL/Fedora, - apply ipa-client-install, then you get proper setup. That's what is tested and supported. ipa-client-install would run authconfig utility with correct parameters to set PAM stack properly. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Active Directory users are not controlled by HBAC
My system-auth-ac files looks like: authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid >= 1000 quiet_success authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_access.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_pwquality.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so ___ Warren Birnbaum : Infrastructure Services Web Automation Engineer Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697 On 1/25/16, 1:26 PM, "Birnbaum, Warren (ETW)" wrote: >Thanks Alexander. Is there a place where there are example pam stacks >that work with active directory and hbac? > >___ >Warren Birnbaum : Infrastructure Services >Web Automation Engineer >Europe CDT Techn. Operations >Nike Inc. : Mobile +31 6 23902697 > > > > > > >On 1/22/16, 2:44 PM, "Alexander Bokovoy" wrote: > >>On Fri, 22 Jan 2016, Birnbaum, Warren (ETW) wrote: >>>Thanks for you reply. I understand what you are saying but don¹t see >>>how >>>this would work because Allow_All is my current situation (even with >>>this >>>rule disabled). My understand is you can¹t restrict through a rule, >>>only >>>limit. I am missing something? >>Yes. >> >>First, lack of HBAC rule that allows to access a service means pam_sss >>will deny access to this service. HBAC rules only give you means to >>_allow_ access, not to limit it as when no rules are in place, >>everything is disallowed. 'allow_all' HBAC rule is provided exactly to >>allow starting with a fresh working ground -- you would then remove >>'allow_all' rule after creating specific allow rules. >> >>Second, while pam_sss evaluates HBAC rules, it is only one module in a >>PAM stack. There might be other PAM modules that could make own >>decisions to allow access to a specific service. You need to see what is >>in your configuration. >> >>On RHEL and Fedora we configure PAM stack in such way that apart from >>root and wheel group the rest is managed by SSSD via pam_sss. If your >>configuration is different, it is up to you to ensure everything is >>tightened up. >> >>> >>> >>> >>> >>>On 1/22/16, 1:51 PM, "freeipa-users-boun...@redhat.com on behalf of >>>Jakub >>>Hrozek" >>jhro...@redhat.com> >>>wrote: >>> On Fri, Jan 22, 2016 at 09:27:40AM +, Birnbaum, Warren (ETW) wrote: > Hi. > > I have a been successful using Freeipa 4.1 configuring active >directory >users and with sudo. The problem I am having is that the HBAC rules >are >not applying to my active directory users. They have access to all >systems even if I disable my Allow_ALL rule. Is there something >special >I should be doing to domain? Normally HBAC for AD users should be done through an external group you add the AD users or groups to, then add the external group to a regular IPA group and reference this IPA group from HBAC rules. There have been bugs related to external groups resolution, so please update to the latest IPA and SSSD packages also. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project >>> >>> >>>-- >>>Manage your subscription for the Freeipa-users mailing list: >>>https://www.redhat.com/mailman/listinfo/freeipa-users >>>Go to http://freeipa.org for more info on the project >> >>-- >>/ Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Active Directory users are not controlled by HBAC
Thanks Alexander. Is there a place where there are example pam stacks that work with active directory and hbac? ___ Warren Birnbaum : Infrastructure Services Web Automation Engineer Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697 On 1/22/16, 2:44 PM, "Alexander Bokovoy" wrote: >On Fri, 22 Jan 2016, Birnbaum, Warren (ETW) wrote: >>Thanks for you reply. I understand what you are saying but don¹t see how >>this would work because Allow_All is my current situation (even with this >>rule disabled). My understand is you can¹t restrict through a rule, only >>limit. I am missing something? >Yes. > >First, lack of HBAC rule that allows to access a service means pam_sss >will deny access to this service. HBAC rules only give you means to >_allow_ access, not to limit it as when no rules are in place, >everything is disallowed. 'allow_all' HBAC rule is provided exactly to >allow starting with a fresh working ground -- you would then remove >'allow_all' rule after creating specific allow rules. > >Second, while pam_sss evaluates HBAC rules, it is only one module in a >PAM stack. There might be other PAM modules that could make own >decisions to allow access to a specific service. You need to see what is >in your configuration. > >On RHEL and Fedora we configure PAM stack in such way that apart from >root and wheel group the rest is managed by SSSD via pam_sss. If your >configuration is different, it is up to you to ensure everything is >tightened up. > >> >> >> >> >>On 1/22/16, 1:51 PM, "freeipa-users-boun...@redhat.com on behalf of Jakub >>Hrozek" >jhro...@redhat.com> >>wrote: >> >>>On Fri, Jan 22, 2016 at 09:27:40AM +, Birnbaum, Warren (ETW) wrote: Hi. I have a been successful using Freeipa 4.1 configuring active directory users and with sudo. The problem I am having is that the HBAC rules are not applying to my active directory users. They have access to all systems even if I disable my Allow_ALL rule. Is there something special I should be doing to domain? >>> >>>Normally HBAC for AD users should be done through an external group you >>>add the AD users or groups to, then add the external group to a regular >>>IPA group and reference this IPA group from HBAC rules. >>> >>>There have been bugs related to external groups resolution, so please >>>update to the latest IPA and SSSD packages also. >>> >>>-- >>>Manage your subscription for the Freeipa-users mailing list: >>>https://www.redhat.com/mailman/listinfo/freeipa-users >>>Go to http://freeipa.org for more info on the project >> >> >>-- >>Manage your subscription for the Freeipa-users mailing list: >>https://www.redhat.com/mailman/listinfo/freeipa-users >>Go to http://freeipa.org for more info on the project > >-- >/ Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Active Directory users are not controlled by HBAC
On Fri, 22 Jan 2016, Birnbaum, Warren (ETW) wrote: Thanks for you reply. I understand what you are saying but don¹t see how this would work because Allow_All is my current situation (even with this rule disabled). My understand is you can¹t restrict through a rule, only limit. I am missing something? Yes. First, lack of HBAC rule that allows to access a service means pam_sss will deny access to this service. HBAC rules only give you means to _allow_ access, not to limit it as when no rules are in place, everything is disallowed. 'allow_all' HBAC rule is provided exactly to allow starting with a fresh working ground -- you would then remove 'allow_all' rule after creating specific allow rules. Second, while pam_sss evaluates HBAC rules, it is only one module in a PAM stack. There might be other PAM modules that could make own decisions to allow access to a specific service. You need to see what is in your configuration. On RHEL and Fedora we configure PAM stack in such way that apart from root and wheel group the rest is managed by SSSD via pam_sss. If your configuration is different, it is up to you to ensure everything is tightened up. On 1/22/16, 1:51 PM, "freeipa-users-boun...@redhat.com on behalf of Jakub Hrozek" wrote: On Fri, Jan 22, 2016 at 09:27:40AM +, Birnbaum, Warren (ETW) wrote: Hi. I have a been successful using Freeipa 4.1 configuring active directory users and with sudo. The problem I am having is that the HBAC rules are not applying to my active directory users. They have access to all systems even if I disable my Allow_ALL rule. Is there something special I should be doing to domain? Normally HBAC for AD users should be done through an external group you add the AD users or groups to, then add the external group to a regular IPA group and reference this IPA group from HBAC rules. There have been bugs related to external groups resolution, so please update to the latest IPA and SSSD packages also. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Active Directory users are not controlled by HBAC
Thanks for you reply. I understand what you are saying but don¹t see how this would work because Allow_All is my current situation (even with this rule disabled). My understand is you can¹t restrict through a rule, only limit. I am missing something? On 1/22/16, 1:51 PM, "freeipa-users-boun...@redhat.com on behalf of Jakub Hrozek" wrote: >On Fri, Jan 22, 2016 at 09:27:40AM +, Birnbaum, Warren (ETW) wrote: >> Hi. >> >> I have a been successful using Freeipa 4.1 configuring active directory >>users and with sudo. The problem I am having is that the HBAC rules are >>not applying to my active directory users. They have access to all >>systems even if I disable my Allow_ALL rule. Is there something special >>I should be doing to domain? > >Normally HBAC for AD users should be done through an external group you >add the AD users or groups to, then add the external group to a regular >IPA group and reference this IPA group from HBAC rules. > >There have been bugs related to external groups resolution, so please >update to the latest IPA and SSSD packages also. > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Active Directory users are not controlled by HBAC
On Fri, Jan 22, 2016 at 09:27:40AM +, Birnbaum, Warren (ETW) wrote: > Hi. > > I have a been successful using Freeipa 4.1 configuring active directory users > and with sudo. The problem I am having is that the HBAC rules are not > applying to my active directory users. They have access to all systems even > if I disable my Allow_ALL rule. Is there something special I should be doing > to domain? Normally HBAC for AD users should be done through an external group you add the AD users or groups to, then add the external group to a regular IPA group and reference this IPA group from HBAC rules. There have been bugs related to external groups resolution, so please update to the latest IPA and SSSD packages also. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project