[Freeipa-users] Active Directory users are not controlled by HBAC
Alexander Bokovoy
abokovoy at redhat.com
Fri Jan 22 13:44:38 UTC 2016
On Fri, 22 Jan 2016, Birnbaum, Warren (ETW) wrote:
>Thanks for you reply. I understand what you are saying but don¹t see how
>this would work because Allow_All is my current situation (even with this
>rule disabled). My understand is you can¹t restrict through a rule, only
>limit. I am missing something?
Yes.
First, lack of HBAC rule that allows to access a service means pam_sss
will deny access to this service. HBAC rules only give you means to
_allow_ access, not to limit it as when no rules are in place,
everything is disallowed. 'allow_all' HBAC rule is provided exactly to
allow starting with a fresh working ground -- you would then remove
'allow_all' rule after creating specific allow rules.
Second, while pam_sss evaluates HBAC rules, it is only one module in a
PAM stack. There might be other PAM modules that could make own
decisions to allow access to a specific service. You need to see what is
in your configuration.
On RHEL and Fedora we configure PAM stack in such way that apart from
root and wheel group the rest is managed by SSSD via pam_sss. If your
configuration is different, it is up to you to ensure everything is
tightened up.
>
>
>
>
>On 1/22/16, 1:51 PM, "freeipa-users-bounces at redhat.com on behalf of Jakub
>Hrozek" <freeipa-users-bounces at redhat.com on behalf of jhrozek at redhat.com>
>wrote:
>
>>On Fri, Jan 22, 2016 at 09:27:40AM +0000, Birnbaum, Warren (ETW) wrote:
>>> Hi.
>>>
>>> I have a been successful using Freeipa 4.1 configuring active directory
>>>users and with sudo. The problem I am having is that the HBAC rules are
>>>not applying to my active directory users. They have access to all
>>>systems even if I disable my Allow_ALL rule. Is there something special
>>>I should be doing to domain?
>>
>>Normally HBAC for AD users should be done through an external group you
>>add the AD users or groups to, then add the external group to a regular
>>IPA group and reference this IPA group from HBAC rules.
>>
>>There have been bugs related to external groups resolution, so please
>>update to the latest IPA and SSSD packages also.
>>
>>--
>>Manage your subscription for the Freeipa-users mailing list:
>>https://www.redhat.com/mailman/listinfo/freeipa-users
>>Go to http://freeipa.org for more info on the project
>
>
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list