Re: [Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1

2017-03-17 Thread Jakub Hrozek
On Fri, Mar 17, 2017 at 08:35:42AM +1100, Lachlan Musicman wrote: > Which logs do you want from the server? NSS and domain -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1

2017-03-16 Thread Lachlan Musicman
Which logs do you want from the server? -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 16 March 2017 at 20:09, Jakub Hrozek wrote: > On Thu, Mar 16, 2017 at 07:56:58PM +1100, Lachlan Musicman wrote: > > Yes. What I

Re: [Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1

2017-03-16 Thread Jakub Hrozek
On Thu, Mar 16, 2017 at 07:56:58PM +1100, Lachlan Musicman wrote: > Yes. What I do would you like? Current debug levels are at 8 Logs and id output from the server and the client at the same time.. -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1

2017-03-16 Thread Lachlan Musicman
Yes. What I do would you like? Current debug levels are at 8 L. On 16 Mar. 2017 7:06 pm, "Jakub Hrozek" wrote: > On Thu, Mar 16, 2017 at 11:36:57AM +1100, Lachlan Musicman wrote: > > I'm experiencing issues with HBAC and I think it's a bug in sssd. Not > sure > > if better

Re: [Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1

2017-03-16 Thread Jakub Hrozek
On Thu, Mar 16, 2017 at 11:36:57AM +1100, Lachlan Musicman wrote: > I'm experiencing issues with HBAC and I think it's a bug in sssd. Not sure > if better to report to here or sssd mailing list. Also sssd in pagure is > bare and I didn't want to sully the blank slate. ( >

Re: [Freeipa-users] HBAC Troubleshooting (IPA 4.2)

2016-11-01 Thread Jake
icman" <data...@gmail.com> Cc: "freeipa-users" <freeipa-users@redhat.com> Sent: Tuesday, November 1, 2016 7:04:45 PM Subject: Re: [Freeipa-users] HBAC Troubleshooting (IPA 4.2) Jake, I've seen this behaviour and am still struggling to find a solution. The v

Re: [Freeipa-users] HBAC Troubleshooting (IPA 4.2)

2016-11-01 Thread Lachlan Musicman
Jake, I've seen this behaviour and am still struggling to find a solution. The version of underlying OS and sssd are useful to know fwiw. To trouble shoot HBAC: - in *target machine* sssd.conf, add debug_level=7 to each stanza (can go as high as 9, but I believe 7 will be sufficient) -

Re: [Freeipa-users] HBAC rules stop working

2016-09-30 Thread Jakub Hrozek
On Thu, Sep 29, 2016 at 07:51:14PM -0600, Orion Poplawski wrote: > server: > ipa-server-4.2.0-15.sl7_2.19.x86_64 > sssd-1.13.0-40.el7_2.12.x86_64 > > client: > sssd-1.14.1-3.el7.centos.x86_64 > > AD trust - users are in AD. HBAC rule in place for client to allow a user > to login/ssh/su/etc. >

Re: [Freeipa-users] HBAC doesn't work issues

2016-09-19 Thread Lachlan Musicman
(redface) It seems to be working. Thanks -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 20 September 2016 at 09:57, Lachlan Musicman wrote: > We have one "allow all" sudo rule (anyone, any host, any command). > >

Re: [Freeipa-users] HBAC doesn't work issues

2016-09-19 Thread Lachlan Musicman
We have one "allow all" sudo rule (anyone, any host, any command). Matching Defaults entries for root on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG

Re: [Freeipa-users] HBAC doesn't work issues

2016-09-19 Thread Lukas Slebodnik
On (19/09/16 16:43), Lachlan Musicman wrote: >I must have made an error again: > >- ipa hbactest gives seemingly correct answer on both server and client >- user can't actually use sudo on client? > >Centos 7, freeipa 4.2.o/2.156; sssd 1.14.1 from COPR > >>From the server: > >[root@vmdv-linuxidm1

Re: [Freeipa-users] HBAC and AD users

2016-07-20 Thread Lachlan Musicman
Sure - I've got tomorrow off, so it will be Friday morning. cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 20 July 2016 at 17:14, Jakub Hrozek wrote: > On Wed, Jul 20, 2016 at 09:28:06AM +1000, Lachlan

Re: [Freeipa-users] HBAC and AD users

2016-07-20 Thread Jakub Hrozek
On Wed, Jul 20, 2016 at 09:28:06AM +1000, Lachlan Musicman wrote: > On 19 July 2016 at 16:40, Jakub Hrozek wrote: > > > On Tue, Jul 19, 2016 at 11:26:02AM +1000, Lachlan Musicman wrote: > > > I think the thing that frustrates the most is that id u...@domain.com is > > >

Re: [Freeipa-users] HBAC and AD users

2016-07-19 Thread Lachlan Musicman
On 19 July 2016 at 16:40, Jakub Hrozek wrote: > On Tue, Jul 19, 2016 at 11:26:02AM +1000, Lachlan Musicman wrote: > > I think the thing that frustrates the most is that id u...@domain.com is > > returning correct data on both but they can't loginand I can't even > > show

Re: [Freeipa-users] HBAC and AD users

2016-07-19 Thread Jakub Hrozek
On Tue, Jul 19, 2016 at 11:26:02AM +1000, Lachlan Musicman wrote: > I think the thing that frustrates the most is that id u...@domain.com is > returning correct data on both but they can't loginand I can't even > show that this is the case because now they can login. Difficult to > reproduce

Re: [Freeipa-users] HBAC and AD users

2016-07-18 Thread Lachlan Musicman
I think the thing that frustrates the most is that id u...@domain.com is returning correct data on both but they can't loginand I can't even show that this is the case because now they can login. Difficult to reproduce :/ -- The most dangerous phrase in the language is, "We've always done

Re: [Freeipa-users] HBAC and AD users

2016-07-18 Thread Lachlan Musicman
Ok, the bad news is that it didn't last. We are still having the same problem - HBAC is rejecting users because not all jobs are being discovered on the host. I turned the debug_level up to 10 as requested, but to be honest, it's impossible to find anything in the logs because it's so verbose -

Re: [Freeipa-users] HBAC and AD users

2016-07-18 Thread Jakub Hrozek
On Mon, Jul 18, 2016 at 09:17:06AM +1000, Lachlan Musicman wrote: > Previously we did have the default_domain_suffix set, but we had to unset > it. I can't remember why we had to - something to do with > ownership/permissions and our filesystem (IBM v7000) not playing nice iirc. > We really wanted

Re: [Freeipa-users] HBAC and AD users

2016-07-17 Thread Lachlan Musicman
Previously we did have the default_domain_suffix set, but we had to unset it. I can't remember why we had to - something to do with ownership/permissions and our filesystem (IBM v7000) not playing nice iirc. We really wanted to use the dds => the researchers are complaining of broken brains due to

Re: [Freeipa-users] HBAC and AD users

2016-07-15 Thread Jakub Hrozek
On Fri, Jul 15, 2016 at 01:07:00PM +1000, Lachlan Musicman wrote: > I've updated all the relevant hosts and the FreeIPA server to the COPR sssd > 1.14.0 release and the problem seems to have disappeared. Great, but please keep an eye on the machine, the 1.14 branch is still kindof fresh and we

Re: [Freeipa-users] HBAC and AD users

2016-07-14 Thread Lachlan Musicman
I've updated all the relevant hosts and the FreeIPA server to the COPR sssd 1.14.0 release and the problem seems to have disappeared. Cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 15 July 2016 at 10:09, Lachlan Musicman

Re: [Freeipa-users] HBAC and AD users

2016-07-14 Thread Lachlan Musicman
On 14 July 2016 at 17:44, Sumit Bose wrote: > On Thu, Jul 14, 2016 at 11:47:41AM +1000, Lachlan Musicman wrote: > > Ok, I have some logs of sssd 1.13.0 not working. Same values as before: > > > > FreeIPA server: Centos 7, ipa 4.2, API_VERSION 2.156 > > > > Installed Packages >

Re: [Freeipa-users] HBAC and AD users

2016-07-14 Thread Sumit Bose
On Thu, Jul 14, 2016 at 11:47:41AM +1000, Lachlan Musicman wrote: > Ok, I have some logs of sssd 1.13.0 not working. Same values as before: > > FreeIPA server: Centos 7, ipa 4.2, API_VERSION 2.156 > > Installed Packages > Name: ipa-server > Arch: x86_64 > Version : 4.2.0 >

Re: [Freeipa-users] HBAC and AD users

2016-07-13 Thread Lachlan Musicman
Ok, I have some logs of sssd 1.13.0 not working. Same values as before: FreeIPA server: Centos 7, ipa 4.2, API_VERSION 2.156 Installed Packages Name: ipa-server Arch: x86_64 Version : 4.2.0 Release : 15.0.1.el7.centos.17 Size: 5.0 M Repo: installed >From

Re: [Freeipa-users] HBAC and AD users

2016-07-12 Thread Sumit Bose
On Tue, Jul 12, 2016 at 09:08:01AM +1000, Lachlan Musicman wrote: > Alex, Sumit, > > Which log levels would you recommend for sssd to help debug this issue? > > We've been using 7, but I just realised that it's not an increasing scale > but bitmasked... It is both 0-9 is increasing scale while

Re: [Freeipa-users] HBAC and AD users

2016-07-11 Thread Lachlan Musicman
Alex, Sumit, Which log levels would you recommend for sssd to help debug this issue? We've been using 7, but I just realised that it's not an increasing scale but bitmasked... cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 11

Re: [Freeipa-users] HBAC and AD users

2016-07-11 Thread Sumit Bose
On Mon, Jul 11, 2016 at 04:55:37PM +1000, Lachlan Musicman wrote: > On 11 July 2016 at 16:44, Alexander Bokovoy wrote: > > > On Mon, 11 Jul 2016, Lachlan Musicman wrote: > > > >> Hola, > >> > >> Centos 7, up to date. > >> > >> [root@linuxidm ~]# ipa --version > >> VERSION:

Re: [Freeipa-users] HBAC and AD users

2016-07-11 Thread Lachlan Musicman
On 11 July 2016 at 16:44, Alexander Bokovoy wrote: > On Mon, 11 Jul 2016, Lachlan Musicman wrote: > >> Hola, >> >> Centos 7, up to date. >> >> [root@linuxidm ~]# ipa --version >> VERSION: 4.2.0, API_VERSION: 2.156 >> >> One way trust is successfully established, can login

Re: [Freeipa-users] HBAC and AD users

2016-07-11 Thread Alexander Bokovoy
On Mon, 11 Jul 2016, Lachlan Musicman wrote: Hola, Centos 7, up to date. [root@linuxidm ~]# ipa --version VERSION: 4.2.0, API_VERSION: 2.156 One way trust is successfully established, can login with ssh usern...@domain1.com@server1.domain2.com Am testing to get HBAC to work. I've noticed

Re: [Freeipa-users] HBAC rules for NFS

2016-07-01 Thread Joanna Delaporte
Hi Alexander, Thanks for the link. I read through it again, and I am still stuck on the rpcgss service on the server...I don't know how to properly restart it. The service in the documents is service nfs-secure-server enable (FC16), or rpcsvcgssd.service (RH7), but I cannot enable using those. I

Re: [Freeipa-users] HBAC rules for NFS

2016-07-01 Thread Alexander Bokovoy
On Fri, 01 Jul 2016, Joanna Delaporte wrote: I am having trouble using NFSv4 via krb5 on my new IPA realm, and I am starting to wonder if I don't have HBAC rules set up correctly. I installed freeIPA with --no_hbac_allow. I have an HBAC service defined as an nfs service: $ ipa hbacsvc-add

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

2016-05-19 Thread Jakub Hrozek
a-users@redhat.com > > Subject: Re: [Freeipa-users] HBAC access denied, all AD groups not detected > > > > On Wed, May 18, 2016 at 08:35:14AM +1000, Lachlan Musicman wrote: > > > Hmmm, I also now see > > > > > > https://fedorahosted.org/sssd/tick

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

2016-05-18 Thread Simpson Lachlan
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Jakub Hrozek > Sent: Wednesday, 18 May 2016 5:40 PM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] HBAC access denied, all AD g

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

2016-05-18 Thread Alexander Bokovoy
On Wed, 18 May 2016, Jakub Hrozek wrote: On Wed, May 18, 2016 at 08:35:14AM +1000, Lachlan Musicman wrote: Hmmm, I also now see https://fedorahosted.org/sssd/ticket/2642 and https://bugzilla.redhat.com/show_bug.cgi?id=1217127 Versions being run: sssd-client-1.13.0-40.el7_2.4.x86_64

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

2016-05-18 Thread Jakub Hrozek
On Wed, May 18, 2016 at 08:35:14AM +1000, Lachlan Musicman wrote: > Hmmm, I also now see > > https://fedorahosted.org/sssd/ticket/2642 > and > https://bugzilla.redhat.com/show_bug.cgi?id=1217127 > > Versions being run: > > sssd-client-1.13.0-40.el7_2.4.x86_64 > sssd-ad-1.13.0-40.el7_2.4.x86_64

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

2016-05-18 Thread Jakub Hrozek
On Wed, May 18, 2016 at 09:46:49AM +1000, Lachlan Musicman wrote: > It's worth noting that, in difference to the bug report: > > 1. We aren't making changes to the overrides. The overrides exist, they > just aren't propagating evenly or consistently. > 2. We are seeing these errors in the various

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

2016-05-17 Thread Lachlan Musicman
It's worth noting that, in difference to the bug report: 1. We aren't making changes to the overrides. The overrides exist, they just aren't propagating evenly or consistently. 2. We are seeing these errors in the various logs: sssd_DOMAIN.log:(Wed May 18 09:00:01 2016) [sssd[be[DOMAIN]]]

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

2016-05-17 Thread Lachlan Musicman
Hmmm, I also now see https://fedorahosted.org/sssd/ticket/2642 and https://bugzilla.redhat.com/show_bug.cgi?id=1217127 Versions being run: sssd-client-1.13.0-40.el7_2.4.x86_64 sssd-ad-1.13.0-40.el7_2.4.x86_64 sssd-proxy-1.13.0-40.el7_2.4.x86_64 sssd-1.13.0-40.el7_2.4.x86_64

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

2016-05-17 Thread Jakub Hrozek
On Tue, May 17, 2016 at 03:08:37PM +1000, Lachlan Musicman wrote: > FWIW, > > We are seeing the issues that are described here: > > https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html > > I was about to write when I found this, it explains exactly what I am > seeing -

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-30 Thread Ben .T.George
and here is my sssd debug log from client side http://pastebin.com/ud2q3FR5 On Sat, Apr 30, 2016 at 10:06 AM, Ben .T.George wrote: > Hi > > Adding this this. > > in AD i habe added 2 users , ben and jude. In my HBAC rule, i pointed this > specific external group and

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-30 Thread Ben .T.George
Hi Adding this this. in AD i habe added 2 users , ben and jude. In my HBAC rule, i pointed this specific external group and (were these users) but while checking the rule from IPA server using hbactest, both users test passes and showing one rol. but in actual only ben can able to login to

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
surprisingly i have created some local IPA users and added to same HBAC rule, and removed AD grop ad applied this rule to client, and that got worked. How can i make this AD group with HBAC working? Regards, Ben On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George wrote: > HI

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
HI If i disable allow_all rule, i cannot able to login to client machine. On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George wrote: > HI > > actually i have added Domain Admins and the user ben is not part of Domain > Admins. But

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
HI actually i have added Domain Admins and the user ben is not part of Domain Admins. But when i login to client machine, i am getting below -sh-4.2$ id uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw) groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
HI while explaning here it went wrong. actually i did is" Added external group to POSIX group" On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek wrote: > On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: > > HI, > > > > "The other is that the groups might not show

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Jakub Hrozek
On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: > HI, > > "The other is that the groups might not show up on the client (do they?)" id $user. But I think Alexander noticed the root cause. > > how can i check that. > > Thanks > Ben > > On Fri, Apr 29, 2016 at 5:59 PM, Jakub

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
Hi I have created 2 fresh users now and i was running below, [root@freeipa log]# ipa hbactest --user "KWTTESTDC\jude" --host `hostname` --service sshd ipa: ERROR: trusted domain user not found [root@freeipa log]# ipa hbactest --user "KWTTESTDC\muneer" --host `hostname` --service sshd ipa: ERROR:

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
Hi Alex, yea my mistake. i was following u this http://www.freeipa.org/page/Active_Directory_trust_setup#Allow_access_for_users_from_AD_domain_to_protected_resources On Fri, Apr 29, 2016 at 6:03 PM, Alexander Bokovoy wrote: > On Fri, 29 Apr 2016, Ben .T.George wrote: >

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
HI, "The other is that the groups might not show up on the client (do they?)" how can i check that. Thanks Ben On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek wrote: > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: > > Hi List, > > > > I have working setup

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Alexander Bokovoy
On Fri, 29 Apr 2016, Ben .T.George wrote: Hi List, I have working setup of one AD, one IPA server and one client server. by default i can login to client server by using AD username. i want to apply HBAC rules against this client server. For that i have done below steps. 1. created External

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Jakub Hrozek
On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: > Hi List, > > I have working setup of one AD, one IPA server and one client server. by > default i can login to client server by using AD username. > > i want to apply HBAC rules against this client server. For that i have done >

Re: [Freeipa-users] HBAC implementation help

2016-04-29 Thread Martin Basti
On 29.04.2016 13:27, Ben .T.George wrote: HI Thanks for your reply. can i do this external group mapping from web UI? You can create External Group using webUI (user groups/ add group/ choose external radio button) More doc about HBAC:

Re: [Freeipa-users] HBAC implementation help

2016-04-29 Thread Ben .T.George
HI Thanks for your reply. can i do this external group mapping from web UI? On Fri, Apr 29, 2016 at 10:50 AM, Jakub Hrozek wrote: > On Fri, Apr 29, 2016 at 12:03:42AM +0300, Ben .T.George wrote: > > Hi List, > > > > i have a working setup of IPA with AD integrated and one

Re: [Freeipa-users] HBAC implementation help

2016-04-29 Thread Jakub Hrozek
On Fri, Apr 29, 2016 at 12:03:42AM +0300, Ben .T.George wrote: > Hi List, > > i have a working setup of IPA with AD integrated and one client joined. > > i want to implement HBAC rules against this client. can anyone please share > me good articles of implementing HBAC from web UI. I'm not sure

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

2015-12-09 Thread Jakub Hrozek
On Tue, Dec 08, 2015 at 04:10:42PM -0600, Sauls, Jeff wrote: > > Jakub Hrozek wrote: > > > > On Mon, Dec 07, 2015 at 02:04:26PM -0600, Sauls, Jeff wrote: > > > > Jakub Hrozek wrote: > > > > > > > > On Fri, Dec 04, 2015 at 02:03:04PM -0600, Sauls, Jeff wrote: > > > > > Hello, > > > > > > > > > >

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

2015-12-08 Thread Sauls, Jeff
> Jakub Hrozek wrote: > > On Mon, Dec 07, 2015 at 02:04:26PM -0600, Sauls, Jeff wrote: > > > Jakub Hrozek wrote: > > > > > > On Fri, Dec 04, 2015 at 02:03:04PM -0600, Sauls, Jeff wrote: > > > > Hello, > > > > > > > > We are having a problem with HBAC that appears to be related to > > > > group

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

2015-12-07 Thread Jakub Hrozek
On Fri, Dec 04, 2015 at 02:03:04PM -0600, Sauls, Jeff wrote: > Hello, > > We are having a problem with HBAC that appears to be related to group > membership lookup. I am testing with a new install on RHEL 7.2 with a > cross-forest trust with AD. When an AD user attempts to log into a client >

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

2015-12-07 Thread Sauls, Jeff
> Jakub Hrozek wrote: > > On Fri, Dec 04, 2015 at 02:03:04PM -0600, Sauls, Jeff wrote: > > Hello, > > > > We are having a problem with HBAC that appears to be related to group > > membership lookup. I am testing with a new install on RHEL 7.2 with a > > cross-forest trust with AD. When an AD

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

2015-12-07 Thread Jakub Hrozek
On Mon, Dec 07, 2015 at 02:04:26PM -0600, Sauls, Jeff wrote: > > Jakub Hrozek wrote: > > > > On Fri, Dec 04, 2015 at 02:03:04PM -0600, Sauls, Jeff wrote: > > > Hello, > > > > > > We are having a problem with HBAC that appears to be related to group > > > membership lookup. I am testing with a

Re: [Freeipa-users] HBAC - Limit SSH access to "test" systems

2015-11-30 Thread Alexander Skwar
Hello Alexander ;) 2015-11-30 10:38 GMT+01:00 Alexander Bokovoy : > HBAC is enforced by SSSD over PAM. All you need to ensure is that an > application (sshd in this case) uses PAM. Then you setup HBAC rules, > disable allow_all rule, and then SSSD will verify rules on logon

Re: [Freeipa-users] HBAC - Limit SSH access to "test" systems

2015-11-30 Thread Alexander Bokovoy
On Mon, 30 Nov 2015, Alexander Skwar wrote: Hello Alexander ;) 2015-11-30 10:38 GMT+01:00 Alexander Bokovoy : HBAC is enforced by SSSD over PAM. All you need to ensure is that an application (sshd in this case) uses PAM. Then you setup HBAC rules, disable allow_all rule,

Re: [Freeipa-users] HBAC - Limit SSH access to "test" systems

2015-11-30 Thread Jan Pazdziora
On Mon, Nov 30, 2015 at 11:18:15AM +0100, Alexander Skwar wrote: > > Hm, okay. But when I deactivate the "allow_all" rule, doesn't that also > change the "default" behaviour? I mean, by default, everything will > be allowed for everyone on every system. No. > When I deactivate the allow_all -

Re: [Freeipa-users] HBAC - Limit SSH access to "test" systems

2015-11-30 Thread Alexander Bokovoy
On Mon, 30 Nov 2015, Alexander Skwar wrote: Hello I'm trying to setup our FreeIPA 4.1.0 (RHEL 7) servers with Ubuntu 14.04 FreeIPA 3.3.4 clients so, that users in a user group called "customers" can only access hosts, which are in a host group called "test". Users from the user group "ops"

Re: [Freeipa-users] hbac service allowed despite not listed

2015-11-24 Thread Jakub Hrozek
On Tue, Nov 24, 2015 at 10:25:11AM +0100, Winfried de Heiden wrote: >Hi all, > >sss_debuglevel 6; in /var/log/sss/sssd_pam.log > >Running as "testuser" crond is denied; perfecr since it is not listed in >the HBAC services. > >[testuser@fedora23-server ~]$ crontab -l >You

Re: [Freeipa-users] hbac service allowed despite not listed

2015-11-24 Thread Winfried de Heiden
Hi all, Running as an ordinary user, straight from the beginning. Is the (default) suid of/usr/bin/su causing this?   Anyway: the info requested: /var/log/secure will tell: Nov 24 11:04:11 fedora23-server su:

Re: [Freeipa-users] hbac service allowed despite not listed

2015-11-24 Thread Jakub Hrozek
On Tue, Nov 24, 2015 at 11:10:11AM +0100, Winfried de Heiden wrote: >Hi all, > >Running as an ordinary user, straight from the beginning. > >Is the (default) suid of/usr/bin/su causing this? >  >Anyway: the info requested: > >/var/log/secure will tell: >Nov 24

Re: [Freeipa-users] hbac service allowed despite not listed

2015-11-24 Thread Winfried de Heiden
Hi all, sss_debuglevel 6; in /var/log/sss/sssd_pam.log Running as "testuser" crond is denied; perfecr since it is not listed in the HBAC services. [testuser@fedora23-server ~]$ crontab -l You (testuser) are not allowed to access

Re: [Freeipa-users] hbac service allowed despite not listed

2015-11-24 Thread Jakub Hrozek
On Tue, Nov 24, 2015 at 11:10:11AM +0100, Winfried de Heiden wrote: >Hi all, > >Running as an ordinary user, straight from the beginning. > >Is the (default) suid of/usr/bin/su causing this? >  >Anyway: the info requested: > >/var/log/secure will tell: >Nov 24

Re: [Freeipa-users] hbac service allowed despite not listed

2015-11-24 Thread Winfried de Heiden
Hi all, The problem is clear, there is a misunderstanding of the service "su" and "su-l", this is about the target users. Hence; su - to user winfried is allowed since su and su-l are added to the hbac service list of this user. This looks a bit strange from the ui perspective, all other

Re: [Freeipa-users] hbac service allowed despite not listed

2015-11-24 Thread Alexander Bokovoy
On Tue, 24 Nov 2015, Winfried de Heiden wrote: Hi all, The problem is clear, there is a misunderstanding of the service "su" and "su-l", this is about the target users. Hence; su - to user winfried is allowed since su and su-l are added to the hbac service list of this user. This looks a

Re: [Freeipa-users] hbac service allowed despite not listed

2015-11-24 Thread Jakub Hrozek
On Tue, Nov 24, 2015 at 12:58:42PM +0100, Winfried de Heiden wrote: > Hi all, > > [winfried@ipa ~]$ ipa hbacrule-show allow_all > Rule name: allow_all > User category: all > Host category: all > Service category: all > Description: Allow all users to access any host from any host >

Re: [Freeipa-users] hbac service allowed despite not listed

2015-11-23 Thread Jakub Hrozek
On Mon, Nov 23, 2015 at 04:55:31PM +0100, Winfried de Heiden wrote: >Hi all, > >I created some hbac rule on freeipa-server 4.1.4 on Fedora 22 > ># ipa hbacrule-show testuser >  Rule name: testuser >  Enabled: TRUE >  Users: testuser >  Hosts:

Re: [Freeipa-users] hbac service allowed despite not listed

2015-11-23 Thread Sumit Bose
On Mon, Nov 23, 2015 at 05:16:26PM +0100, Jakub Hrozek wrote: > On Mon, Nov 23, 2015 at 04:55:31PM +0100, Winfried de Heiden wrote: > >Hi all, > > > >I created some hbac rule on freeipa-server 4.1.4 on Fedora 22 > > > ># ipa hbacrule-show testuser > >  Rule name: testuser > > 

Re: [Freeipa-users] HBAC

2015-10-01 Thread Simo Sorce
On 30/09/15 21:22, TomK wrote: On 9/30/2015 8:12 AM, Martin Kosek wrote: On 09/30/2015 07:50 AM, Alexander Bokovoy wrote: On Tue, 29 Sep 2015, TomK wrote: Hey Guy's, (Sending this again as I didn't have this email included in the freeipa-users mailing list so not sure if the other message

Re: [Freeipa-users] HBAC

2015-10-01 Thread TomK
On 10/1/2015 12:04 PM, Simo Sorce wrote: On 30/09/15 21:22, TomK wrote: On 9/30/2015 8:12 AM, Martin Kosek wrote: On 09/30/2015 07:50 AM, Alexander Bokovoy wrote: On Tue, 29 Sep 2015, TomK wrote: Hey Guy's, (Sending this again as I didn't have this email included in the freeipa-users

Re: [Freeipa-users] HBAC

2015-09-30 Thread Martin Kosek
On 09/30/2015 07:50 AM, Alexander Bokovoy wrote: > On Tue, 29 Sep 2015, TomK wrote: >> Hey Guy's, >> >> (Sending this again as I didn't have this email included in the freeipa-users >> mailing list so not sure if the other message will get posted.) >> >> Before I post a ticket to RH Support for an

Re: [Freeipa-users] HBAC

2015-09-30 Thread TomK
On 9/30/2015 8:12 AM, Martin Kosek wrote: On 09/30/2015 07:50 AM, Alexander Bokovoy wrote: On Tue, 29 Sep 2015, TomK wrote: Hey Guy's, (Sending this again as I didn't have this email included in the freeipa-users mailing list so not sure if the other message will get posted.) Before I post

Re: [Freeipa-users] HBAC

2015-09-29 Thread Alexander Bokovoy
On Tue, 29 Sep 2015, TomK wrote: Hey Guy's, (Sending this again as I didn't have this email included in the freeipa-users mailing list so not sure if the other message will get posted.) Before I post a ticket to RH Support for an RFE, I'll post the request here to get some feedback on

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-19 Thread sipazzo
if I can.   From: Jakub Hrozek jhro...@redhat.com To: Martin Kosek mko...@redhat.com Cc: Freeipa-users freeipa-users@redhat.com Sent: Wednesday, August 19, 2015 12:23 AM Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients On Tue, Aug 18, 2015 at 09:05:14PM +0200

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-19 Thread sipazzo
natxo.ase...@gmail.com Cc: Freeipa-users freeipa-users@redhat.com Sent: Saturday, August 15, 2015 10:46 AM Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients For Solaris we are using the pam_list module to control which LDAP users can have system access. The pam_list

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-19 Thread Jakub Hrozek
On Tue, Aug 18, 2015 at 09:05:14PM +0200, Martin Kosek wrote: On 08/15/2015 07:05 PM, Natxo Asenjo wrote: On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: sipazzo wrote: and my users are able to authenticate to the

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-18 Thread Martin Kosek
On 08/15/2015 07:05 PM, Natxo Asenjo wrote: On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: sipazzo wrote: and my users are able to authenticate to the directory but the hbac rules are not being applied. Any user

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-17 Thread sipazzo
-users@redhat.com Sent: Saturday, August 15, 2015 10:46 AM Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients For Solaris we are using the pam_list module to control which LDAP users can have system access. The pam_list module allow netgroups to be listed

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-15 Thread Bob
For Solaris we are using the pam_list module to control which LDAP users can have system access. The pam_list module allow netgroups to be listed in a user.allow file. On Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-15 Thread Natxo Asenjo
On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden rcrit...@redhat.com wrote: sipazzo wrote: and my users are able to authenticate to the directory but the hbac rules are not being applied. Any user whether given access or not can login to the Solaris systems. The allow-all rule has been

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-15 Thread Rob Crittenden
sipazzo wrote: Hi I am using freeipa 3.0.0-47 in a mixed environment with rhel5-7 clients, Solaris 10 clients and a handful of Solaris 11 clients. I followed this guide in setting up the solaris clients: 3.8. Configuring a Solaris System as a FreeIPA Client

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-13 Thread Vangass
OK. I understand. Thank You for an answer. 2015-05-12 9:39 GMT+02:00 Jan Pazdziora jpazdzi...@redhat.com: On Mon, May 11, 2015 at 08:52:08PM +0200, Vangass wrote: OK. But the answer granted/declined comes from IPA. So why IPA doesn't check its own HBAC rules at all? Maybe the line

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-12 Thread Jan Pazdziora
On Mon, May 11, 2015 at 08:52:08PM +0200, Vangass wrote: OK. But the answer granted/declined comes from IPA. So why IPA doesn't check its own HBAC rules at all? Maybe the line 'account required pam_sss.so' isn't necessary/required. I just want to do authentication by IPA HBAC rules.

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-11 Thread Vangass
Hi, I try to access Cisco switch via ssh. Cisco has tacacs login configured. # tail /var/log/secure May 11 14:18:46 freeipa tac_plus[29096]: pam_sss(tac_plus:auth): authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost= user=bartosz May 11 14:18:53 freeipa tac_plus[29096]:

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-11 Thread Jakub Hrozek
On Mon, May 11, 2015 at 01:19:01PM +0200, Vangass wrote: Hello, I have a problem with HBAC rules with conjunction with PAM authentication. What I try to do is to authenticate users: tac_plus - PAM (pam_sssd) - FreeIPA. It works just fine but without checking HBAC rules. What I did: -

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-11 Thread Jan Pazdziora
On Mon, May 11, 2015 at 01:57:38PM +0200, Jakub Hrozek wrote: On Mon, May 11, 2015 at 01:19:01PM +0200, Vangass wrote: Hello, I have a problem with HBAC rules with conjunction with PAM authentication. What I try to do is to authenticate users: tac_plus - PAM (pam_sssd) - FreeIPA. It

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-11 Thread Sumit Bose
On Mon, May 11, 2015 at 04:47:01PM +0200, Lukas Slebodnik wrote: On (11/05/15 14:57), Vangass wrote: Hi, I try to access Cisco switch via ssh. Cisco has tacacs login configured. # tail /var/log/secure May 11 14:18:46 freeipa tac_plus[29096]: pam_sss(tac_plus:auth): authentication

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-11 Thread Lukas Slebodnik
On (11/05/15 14:57), Vangass wrote: Hi, I try to access Cisco switch via ssh. Cisco has tacacs login configured. # tail /var/log/secure May 11 14:18:46 freeipa tac_plus[29096]: pam_sss(tac_plus:auth): authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost= user=bartosz May 11

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-11 Thread Sumit Bose
On Mon, May 11, 2015 at 05:15:31PM +0200, Sumit Bose wrote: On Mon, May 11, 2015 at 04:47:01PM +0200, Lukas Slebodnik wrote: On (11/05/15 14:57), Vangass wrote: Hi, I try to access Cisco switch via ssh. Cisco has tacacs login configured. # tail /var/log/secure May 11 14:18:46

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-11 Thread Vangass
OK. But the answer granted/declined comes from IPA. So why IPA doesn't check its own HBAC rules at all? Maybe the line 'account required pam_sss.so' isn't necessary/required. I just want to do authentication by IPA HBAC rules. Thanks, Bartek. 2015-05-11 17:22 GMT+02:00 Sumit Bose

Re: [Freeipa-users] HBAC rules don't work with PAM - problem

2015-05-11 Thread Alexander Bokovoy
On Mon, 11 May 2015, Vangass wrote: OK. But the answer granted/declined comes from IPA. So why IPA doesn't check its own HBAC rules at all? Maybe the line 'account required pam_sss.so' isn't necessary/required. I just want to do authentication by IPA HBAC rules. Authentication and

Re: [Freeipa-users] HBAC and SUDO rules for legacy clients

2015-04-21 Thread Srdjan Dutina
Yes, it does. Thank you. On Mon, Apr 20, 2015 at 6:08 PM Srdjan Dutina sdut...@gmail.com wrote: Sorry for misunderstanding. I understand HBAC rules will not work for Centos 5. I just wanted to make sure disabling allow all rule and adding new HBAC rules won't interfere with AD users logging

Re: [Freeipa-users] HBAC and SUDO rules for legacy clients

2015-04-20 Thread Dmitri Pal
On 04/20/2015 12:08 PM, Srdjan Dutina wrote: Sorry for misunderstanding. I understand HBAC rules will not work for Centos 5. I just wanted to make sure disabling allow all rule and adding new HBAC rules won't interfere with AD users logging on Centos 5. To clarify: CentOS 5 needs to point

Re: [Freeipa-users] HBAC and SUDO rules for legacy clients

2015-04-20 Thread Alexander Bokovoy
On Mon, 20 Apr 2015, Srdjan Dutina wrote: Thank for quick answer! If I disable HBAC rule, I can still login to Centos 5 client using IPA user, but not using AD user. Is there a workaround? I need allow_all disabled because of newer IPA clients. There is no workaround so far. -- / Alexander

Re: [Freeipa-users] HBAC and SUDO rules for legacy clients

2015-04-20 Thread Srdjan Dutina
Thank for quick answer! If I disable HBAC rule, I can still login to Centos 5 client using IPA user, but not using AD user. Is there a workaround? I need allow_all disabled because of newer IPA clients. On Mon, Apr 20, 2015 at 4:30 PM Alexander Bokovoy aboko...@redhat.com wrote: On Mon, 20

  1   2   >