Re: [Freeipa-users] HBAC and SUDO rules for legacy clients

2015-04-21 Thread Srdjan Dutina
Yes, it does. Thank you. On Mon, Apr 20, 2015 at 6:08 PM Srdjan Dutina sdut...@gmail.com wrote: Sorry for misunderstanding. I understand HBAC rules will not work for Centos 5. I just wanted to make sure disabling allow all rule and adding new HBAC rules won't interfere with AD users logging

Re: [Freeipa-users] HBAC and SUDO rules for legacy clients

2015-04-20 Thread Dmitri Pal
On 04/20/2015 12:08 PM, Srdjan Dutina wrote: Sorry for misunderstanding. I understand HBAC rules will not work for Centos 5. I just wanted to make sure disabling allow all rule and adding new HBAC rules won't interfere with AD users logging on Centos 5. To clarify: CentOS 5 needs to point

Re: [Freeipa-users] HBAC and SUDO rules for legacy clients

2015-04-20 Thread Alexander Bokovoy
On Mon, 20 Apr 2015, Srdjan Dutina wrote: Thank for quick answer! If I disable HBAC rule, I can still login to Centos 5 client using IPA user, but not using AD user. Is there a workaround? I need allow_all disabled because of newer IPA clients. There is no workaround so far. -- / Alexander

Re: [Freeipa-users] HBAC and SUDO rules for legacy clients

2015-04-20 Thread Srdjan Dutina
Thank for quick answer! If I disable HBAC rule, I can still login to Centos 5 client using IPA user, but not using AD user. Is there a workaround? I need allow_all disabled because of newer IPA clients. On Mon, Apr 20, 2015 at 4:30 PM Alexander Bokovoy aboko...@redhat.com wrote: On Mon, 20

Re: [Freeipa-users] HBAC and SUDO rules for legacy clients

2015-04-20 Thread Alexander Bokovoy
On Mon, 20 Apr 2015, Srdjan Dutina wrote: Hi, Testing FreeIPA 4.1.0 (Centos 7 (1503)) with AD 2012 R2 trust. For Centos 5.11 Client (SSSD 1.5.1), will HBAC and SUDO rules function? If yes, does this apply AD users also? SSSD 1.5.1 does not have SUDO support. HBAC support in 1.5.1 will mot

Re: [Freeipa-users] HBAC and SUDO rules for legacy clients

2015-04-20 Thread Srdjan Dutina
Just found in http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf the next sentence: If you have HBAC's allow_all rule disabled, you will need to allow system-auth service on the FreeIPA master, so that authentication of the AD users can be performed. Is this true for FreeIPA 4.1.0

Re: [Freeipa-users] HBAC and SUDO rules for legacy clients

2015-04-20 Thread Alexander Bokovoy
On Mon, 20 Apr 2015, Srdjan Dutina wrote: Just found in http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf the next sentence: If you have HBAC's allow_all rule disabled, you will need to allow system-auth service on the FreeIPA master, so that authentication of the AD users can be

Re: [Freeipa-users] HBAC and SUDO rules for legacy clients

2015-04-20 Thread Srdjan Dutina
Sorry for misunderstanding. I understand HBAC rules will not work for Centos 5. I just wanted to make sure disabling allow all rule and adding new HBAC rules won't interfere with AD users logging on Centos 5. On Mon, Apr 20, 2015 at 5:03 PM Alexander Bokovoy aboko...@redhat.com wrote: On Mon,