Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-19 Thread sipazzo 
Thanks Bob, I have tried to implement this and cannot seem to get it to work 
for me even though it seems straightforward. I tried both with using a 
user.allow file and adding the netgroup to /etc/passwd as well as moving lines 
around in the pam.conf and many different versions of pam.conf but it results 
in either everyone being able to login or no one being able to login. Do you 
mind sharing your pam.conf with me?
I have the following relevant entries in nsswitch.conf
passwd: files ldapgroup: files ldapshadow: files ldapnetgroup: ldap

 From: Bob 
 To: Natxo Asenjo  
Cc: Freeipa-users  
 Sent: Saturday, August 15, 2015 10:46 AM
 Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients
   

For Solaris we are using the pam_list module to control which LDAP users can 
have system access. The pam_list module allow netgroups to be listed in a 
user.allow file. 

On Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo  wrote:





On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden  wrote:

sipazzo wrote:


and my users are able to authenticate to the directory but the hbac
rules are not being applied. Any user whether given access or not can
login to the Solaris systems. The "allow-all" rule has been disabled, my
nsswitch.conf file looks good and I have tried different configs of
pam.d, including the provided example to try to resolve the issue. Am I
missing some steps?


HBAC enforcement is provided by sssd so doesn't work in Solaris.


one might try using solaris' RBAC system:

http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html

You would have to distribute your changes to all solaris systems.

There is a RBAC ldap schema 
http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for solaris, 
but I have never tried using it with freeipa. 

--
Groeten,
natxo
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-19 Thread sipazzo 
Ah I would love to help but have only been a Unix sysadmin for a couple years 
now (came from Windows side of house) and have little coding ability. Still 
happy to  help in any way I can though if you can find a place/need for me. You 
have all been very helpful to me so I would like to give back if I can.
   From: Jakub Hrozek 
 To: Martin Kosek  
Cc: Freeipa-users  
 Sent: Wednesday, August 19, 2015 12:23 AM
 Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients
   
On Tue, Aug 18, 2015 at 09:05:14PM +0200, Martin Kosek wrote:
> On 08/15/2015 07:05 PM, Natxo Asenjo wrote:
> >
> >
> >On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden  ><mailto:rcrit...@redhat.com>> wrote:
> >
> >    sipazzo wrote:
> >
> >
> >        and my users are able to authenticate to the directory but the hbac
> >        rules are not being applied. Any user whether given access or not can
> >        login to the Solaris systems. The "allow-all" rule has been 
> >disabled, my
> >        nsswitch.conf file looks good and I have tried different configs of
> >        pam.d, including the provided example to try to resolve the issue. 
> >Am I
> >        missing some steps?
> >
> >
> >    HBAC enforcement is provided by sssd so doesn't work in Solaris.
> >
> >
> >one might try using solaris' RBAC system:
> >
> >http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html
> >
> >You would have to distribute your changes to all solaris systems.
> >
> >There is a RBAC ldap schema
> >http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for 
> >solaris,
> >but I have never tried using it with freeipa.
> >
> >--
> >Groeten,
> >natxo
> 
> Alternatively, you can also contribute to Jakub Hrozek's pam_hbac project:
> 
> https://github.com/jhrozek/pam_hbac

btw I have quite a few changes from the last weeks, so yes, I'm still
working on this, but the progress is slow, RHEL maintenance tends to eat
most time..



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-19 Thread Jakub Hrozek 
On Tue, Aug 18, 2015 at 09:05:14PM +0200, Martin Kosek wrote:
> On 08/15/2015 07:05 PM, Natxo Asenjo wrote:
> >
> >
> >On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden  >> wrote:
> >
> >sipazzo wrote:
> >
> >
> >and my users are able to authenticate to the directory but the hbac
> >rules are not being applied. Any user whether given access or not can
> >login to the Solaris systems. The "allow-all" rule has been 
> > disabled, my
> >nsswitch.conf file looks good and I have tried different configs of
> >pam.d, including the provided example to try to resolve the issue. 
> > Am I
> >missing some steps?
> >
> >
> >HBAC enforcement is provided by sssd so doesn't work in Solaris.
> >
> >
> >one might try using solaris' RBAC system:
> >
> >http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html
> >
> >You would have to distribute your changes to all solaris systems.
> >
> >There is a RBAC ldap schema
> >http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for 
> >solaris,
> >but I have never tried using it with freeipa.
> >
> >--
> >Groeten,
> >natxo
> 
> Alternatively, you can also contribute to Jakub Hrozek's pam_hbac project:
> 
> https://github.com/jhrozek/pam_hbac

btw I have quite a few changes from the last weeks, so yes, I'm still
working on this, but the progress is slow, RHEL maintenance tends to eat
most time..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-18 Thread Martin Kosek 

On 08/15/2015 07:05 PM, Natxo Asenjo wrote:



On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden mailto:rcrit...@redhat.com>> wrote:

sipazzo wrote:


and my users are able to authenticate to the directory but the hbac
rules are not being applied. Any user whether given access or not can
login to the Solaris systems. The "allow-all" rule has been disabled, my
nsswitch.conf file looks good and I have tried different configs of
pam.d, including the provided example to try to resolve the issue. Am I
missing some steps?


HBAC enforcement is provided by sssd so doesn't work in Solaris.


one might try using solaris' RBAC system:

http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html

You would have to distribute your changes to all solaris systems.

There is a RBAC ldap schema
http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for solaris,
but I have never tried using it with freeipa.

--
Groeten,
natxo


Alternatively, you can also contribute to Jakub Hrozek's pam_hbac project:

https://github.com/jhrozek/pam_hbac

:-)

Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-17 Thread sipazzo 
Ok thanks all. I will look into pam_list, integrating with the Solaris RBAC is 
probably beyond me as I am not that Solaris savvy and there is no documentation 
on using it with freeipa that I see.
I tried using AllowGroups in sshd_config on Solaris to restrict access but it 
only seems to work with primary group membership. Is this expected? From 
reading documentation it should work with secondary/supplementary documentation 
as well. Let me know if you have found a way around that please.
  From: Bob 
 To: Natxo Asenjo  
Cc: Freeipa-users  
 Sent: Saturday, August 15, 2015 10:46 AM
 Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients
   

For Solaris we are using the pam_list module to control which LDAP users can 
have system access. The pam_list module allow netgroups to be listed in a 
user.allow file. 

On Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo  wrote:





On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden  wrote:

sipazzo wrote:


and my users are able to authenticate to the directory but the hbac
rules are not being applied. Any user whether given access or not can
login to the Solaris systems. The "allow-all" rule has been disabled, my
nsswitch.conf file looks good and I have tried different configs of
pam.d, including the provided example to try to resolve the issue. Am I
missing some steps?


HBAC enforcement is provided by sssd so doesn't work in Solaris.


one might try using solaris' RBAC system:

http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html

You would have to distribute your changes to all solaris systems.

There is a RBAC ldap schema 
http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for solaris, 
but I have never tried using it with freeipa. 

--
Groeten,
natxo
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

   -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-15 Thread Bob 
For Solaris we are using the pam_list module to control which LDAP users
can have system access. The pam_list module allow netgroups to be listed in
a user.allow file.

On Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo 
wrote:

>
>
> On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden 
> wrote:
>
>> sipazzo wrote:
>>
>>>
>>> and my users are able to authenticate to the directory but the hbac
>>> rules are not being applied. Any user whether given access or not can
>>> login to the Solaris systems. The "allow-all" rule has been disabled, my
>>> nsswitch.conf file looks good and I have tried different configs of
>>> pam.d, including the provided example to try to resolve the issue. Am I
>>> missing some steps?
>>>
>>
>> HBAC enforcement is provided by sssd so doesn't work in Solaris.
>>
>
> one might try using solaris' RBAC system:
>
>
> http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html
>
> You would have to distribute your changes to all solaris systems.
>
> There is a RBAC ldap schema
> http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for
> solaris, but I have never tried using it with freeipa.
>
> --
> Groeten,
> natxo
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-15 Thread Natxo Asenjo 
On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden  wrote:

> sipazzo wrote:
>
>>
>> and my users are able to authenticate to the directory but the hbac
>> rules are not being applied. Any user whether given access or not can
>> login to the Solaris systems. The "allow-all" rule has been disabled, my
>> nsswitch.conf file looks good and I have tried different configs of
>> pam.d, including the provided example to try to resolve the issue. Am I
>> missing some steps?
>>
>
> HBAC enforcement is provided by sssd so doesn't work in Solaris.
>

one might try using solaris' RBAC system:

http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html

You would have to distribute your changes to all solaris systems.

There is a RBAC ldap schema
http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for
solaris, but I have never tried using it with freeipa.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-15 Thread Rob Crittenden 

sipazzo wrote:

Hi I am using freeipa 3.0.0-47 in a mixed environment with rhel5-7
clients, Solaris 10 clients and a handful of Solaris 11 clients. I
followed this guide in setting up the solaris clients: 3.8. Configuring
a Solaris System as a FreeIPA Client





3.8. Configuring a Solaris System as a FreeIPA Client

FreeIPA provides an example profile for configuring Solaris 10 as a
FreeIPA client. This can be loaded using ldapclient and the init
command: [root@solaris ~]# ldapclient init ipa.example.com
View on docs.fedoraproject.org


Preview by Yahoo

and my users are able to authenticate to the directory but the hbac
rules are not being applied. Any user whether given access or not can
login to the Solaris systems. The "allow-all" rule has been disabled, my
nsswitch.conf file looks good and I have tried different configs of
pam.d, including the provided example to try to resolve the issue. Am I
missing some steps?


HBAC enforcement is provided by sssd so doesn't work in Solaris.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project