Thanks Alexander. Is there a place where there are example pam stacks that work with active directory and hbac? ___________________ Warren Birnbaum : Infrastructure Services Web Automation Engineer Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697
On 1/22/16, 2:44 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote: >On Fri, 22 Jan 2016, Birnbaum, Warren (ETW) wrote: >>Thanks for you reply. I understand what you are saying but don¹t see how >>this would work because Allow_All is my current situation (even with this >>rule disabled). My understand is you can¹t restrict through a rule, only >>limit. I am missing something? >Yes. > >First, lack of HBAC rule that allows to access a service means pam_sss >will deny access to this service. HBAC rules only give you means to >_allow_ access, not to limit it as when no rules are in place, >everything is disallowed. 'allow_all' HBAC rule is provided exactly to >allow starting with a fresh working ground -- you would then remove >'allow_all' rule after creating specific allow rules. > >Second, while pam_sss evaluates HBAC rules, it is only one module in a >PAM stack. There might be other PAM modules that could make own >decisions to allow access to a specific service. You need to see what is >in your configuration. > >On RHEL and Fedora we configure PAM stack in such way that apart from >root and wheel group the rest is managed by SSSD via pam_sss. If your >configuration is different, it is up to you to ensure everything is >tightened up. > >> >> >> >> >>On 1/22/16, 1:51 PM, "freeipa-users-boun...@redhat.com on behalf of Jakub >>Hrozek" <freeipa-users-boun...@redhat.com on behalf of >>jhro...@redhat.com> >>wrote: >> >>>On Fri, Jan 22, 2016 at 09:27:40AM +0000, Birnbaum, Warren (ETW) wrote: >>>> Hi. >>>> >>>> I have a been successful using Freeipa 4.1 configuring active >>>>directory >>>>users and with sudo. The problem I am having is that the HBAC rules >>>>are >>>>not applying to my active directory users. They have access to all >>>>systems even if I disable my Allow_ALL rule. Is there something >>>>special >>>>I should be doing to domain? >>> >>>Normally HBAC for AD users should be done through an external group you >>>add the AD users or groups to, then add the external group to a regular >>>IPA group and reference this IPA group from HBAC rules. >>> >>>There have been bugs related to external groups resolution, so please >>>update to the latest IPA and SSSD packages also. >>> >>>-- >>>Manage your subscription for the Freeipa-users mailing list: >>>https://www.redhat.com/mailman/listinfo/freeipa-users >>>Go to http://freeipa.org for more info on the project >> >> >>-- >>Manage your subscription for the Freeipa-users mailing list: >>https://www.redhat.com/mailman/listinfo/freeipa-users >>Go to http://freeipa.org for more info on the project > >-- >/ Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project