My system-auth-ac files looks like: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_access.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so ___________________ Warren Birnbaum : Infrastructure Services Web Automation Engineer Europe CDT Techn. Operations Nike Inc. : Mobile +31 6 23902697 On 1/25/16, 1:26 PM, "Birnbaum, Warren (ETW)" <warren.birnb...@nike.com> wrote: >Thanks Alexander. Is there a place where there are example pam stacks >that work with active directory and hbac? > >___________________ >Warren Birnbaum : Infrastructure Services >Web Automation Engineer >Europe CDT Techn. Operations >Nike Inc. : Mobile +31 6 23902697 > > > > > > >On 1/22/16, 2:44 PM, "Alexander Bokovoy" <aboko...@redhat.com> wrote: > >>On Fri, 22 Jan 2016, Birnbaum, Warren (ETW) wrote: >>>Thanks for you reply. I understand what you are saying but don¹t see >>>how >>>this would work because Allow_All is my current situation (even with >>>this >>>rule disabled). My understand is you can¹t restrict through a rule, >>>only >>>limit. I am missing something? >>Yes. >> >>First, lack of HBAC rule that allows to access a service means pam_sss >>will deny access to this service. HBAC rules only give you means to >>_allow_ access, not to limit it as when no rules are in place, >>everything is disallowed. 'allow_all' HBAC rule is provided exactly to >>allow starting with a fresh working ground -- you would then remove >>'allow_all' rule after creating specific allow rules. >> >>Second, while pam_sss evaluates HBAC rules, it is only one module in a >>PAM stack. There might be other PAM modules that could make own >>decisions to allow access to a specific service. You need to see what is >>in your configuration. >> >>On RHEL and Fedora we configure PAM stack in such way that apart from >>root and wheel group the rest is managed by SSSD via pam_sss. If your >>configuration is different, it is up to you to ensure everything is >>tightened up. >> >>> >>> >>> >>> >>>On 1/22/16, 1:51 PM, "freeipa-users-boun...@redhat.com on behalf of >>>Jakub >>>Hrozek" <freeipa-users-boun...@redhat.com on behalf of >>>jhro...@redhat.com> >>>wrote: >>> >>>>On Fri, Jan 22, 2016 at 09:27:40AM +0000, Birnbaum, Warren (ETW) wrote: >>>>> Hi. >>>>> >>>>> I have a been successful using Freeipa 4.1 configuring active >>>>>directory >>>>>users and with sudo. The problem I am having is that the HBAC rules >>>>>are >>>>>not applying to my active directory users. They have access to all >>>>>systems even if I disable my Allow_ALL rule. Is there something >>>>>special >>>>>I should be doing to domain? >>>> >>>>Normally HBAC for AD users should be done through an external group you >>>>add the AD users or groups to, then add the external group to a regular >>>>IPA group and reference this IPA group from HBAC rules. >>>> >>>>There have been bugs related to external groups resolution, so please >>>>update to the latest IPA and SSSD packages also. >>>> >>>>-- >>>>Manage your subscription for the Freeipa-users mailing list: >>>>https://www.redhat.com/mailman/listinfo/freeipa-users >>>>Go to http://freeipa.org for more info on the project >>> >>> >>>-- >>>Manage your subscription for the Freeipa-users mailing list: >>>https://www.redhat.com/mailman/listinfo/freeipa-users >>>Go to http://freeipa.org for more info on the project >> >>-- >>/ Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project