Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?

2011-06-13 Thread JR Aquino
On Jun 13, 2011, at 4:43 PM, Steven Jones wrote: I have put 3 clients into a netgroup and added a user, however when I remove the user from the netgroup the user can still login! Even if the user wasnt ever in teh netgroup they can login So how do I stop that? When will we see

Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?

2011-06-13 Thread Steven Jones
Hi, Ive seen/read it.and I have a hard copy on my desk in front of me right now I find it typical of such documents, it has lots of sections in great detail but it doesnt tell you how to achieve anything end to endand often its gives you written instructions on visual tasks so if

Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?

2011-06-13 Thread JR Aquino
1) Create an HBAC Rule or rules: choose allow or deny 2) add users/usergroups to the rule 3) add hosts/hostgroups to the rule 4) disable the default 'allow all' rule Now any system that has SSSD 1.5 will enforce those HBAC rules. For systems that do not support sssd, I have been working on a

Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?

2011-06-13 Thread Steven Jones
Hmm, So whats the default rule? can i set precedence? is there any? Example. So Ive disabled the allow_all rule, I made a deny_all rule and then a rule to allow specific user groups to login to specific hostgroups serversthat didnt work... So I disabled the deny_all rule and users in

Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?

2011-06-13 Thread Rob Crittenden
Steven Jones wrote: Hmm, So whats the default rule? can i set precedence? is there any? The default rule is deny. Example. So Ive disabled the allow_all rule, I made a deny_all rule and then a rule to allow specific user groups to login to specific hostgroups serversthat didnt

Re: [Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?

2011-06-13 Thread Simo Sorce
Just to add on the advice, not to detract, On Tue, 2011-06-14 at 01:10 +, JR Aquino wrote: 1) Create an HBAC Rule or rules: choose allow or deny Do yourself a favor and never use deny rules, they are there if you *really* need them, but you do not want to use them if you can avoid them :)