[Freeipa-users] Active Directory users are not controlled by HBAC
Birnbaum, Warren (ETW)
Warren.Birnbaum at nike.com
Mon Jan 25 21:26:55 UTC 2016
Thanks Alexander. Is there a place where there are example pam stacks
that work with active directory and hbac?
___________________
Warren Birnbaum : Infrastructure Services
Web Automation Engineer
Europe CDT Techn. Operations
Nike Inc. : Mobile +31 6 23902697
On 1/22/16, 2:44 PM, "Alexander Bokovoy" <abokovoy at redhat.com> wrote:
>On Fri, 22 Jan 2016, Birnbaum, Warren (ETW) wrote:
>>Thanks for you reply. I understand what you are saying but don¹t see how
>>this would work because Allow_All is my current situation (even with this
>>rule disabled). My understand is you can¹t restrict through a rule, only
>>limit. I am missing something?
>Yes.
>
>First, lack of HBAC rule that allows to access a service means pam_sss
>will deny access to this service. HBAC rules only give you means to
>_allow_ access, not to limit it as when no rules are in place,
>everything is disallowed. 'allow_all' HBAC rule is provided exactly to
>allow starting with a fresh working ground -- you would then remove
>'allow_all' rule after creating specific allow rules.
>
>Second, while pam_sss evaluates HBAC rules, it is only one module in a
>PAM stack. There might be other PAM modules that could make own
>decisions to allow access to a specific service. You need to see what is
>in your configuration.
>
>On RHEL and Fedora we configure PAM stack in such way that apart from
>root and wheel group the rest is managed by SSSD via pam_sss. If your
>configuration is different, it is up to you to ensure everything is
>tightened up.
>
>>
>>
>>
>>
>>On 1/22/16, 1:51 PM, "freeipa-users-bounces at redhat.com on behalf of Jakub
>>Hrozek" <freeipa-users-bounces at redhat.com on behalf of
>>jhrozek at redhat.com>
>>wrote:
>>
>>>On Fri, Jan 22, 2016 at 09:27:40AM +0000, Birnbaum, Warren (ETW) wrote:
>>>> Hi.
>>>>
>>>> I have a been successful using Freeipa 4.1 configuring active
>>>>directory
>>>>users and with sudo. The problem I am having is that the HBAC rules
>>>>are
>>>>not applying to my active directory users. They have access to all
>>>>systems even if I disable my Allow_ALL rule. Is there something
>>>>special
>>>>I should be doing to domain?
>>>
>>>Normally HBAC for AD users should be done through an external group you
>>>add the AD users or groups to, then add the external group to a regular
>>>IPA group and reference this IPA group from HBAC rules.
>>>
>>>There have been bugs related to external groups resolution, so please
>>>update to the latest IPA and SSSD packages also.
>>>
>>>--
>>>Manage your subscription for the Freeipa-users mailing list:
>>>https://www.redhat.com/mailman/listinfo/freeipa-users
>>>Go to http://freeipa.org for more info on the project
>>
>>
>>--
>>Manage your subscription for the Freeipa-users mailing list:
>>https://www.redhat.com/mailman/listinfo/freeipa-users
>>Go to http://freeipa.org for more info on the project
>
>--
>/ Alexander Bokovoy
More information about the Freeipa-users
mailing list