[Freeipa-users] Active Directory users are not controlled by HBAC
Sumit Bose
sbose at redhat.com
Thu Jan 28 08:11:07 UTC 2016
On Wed, Jan 27, 2016 at 06:53:43PM +0000, Birnbaum, Warren (ETW) wrote:
> I started this post with a simple question: ³is it possible to have HBAC
> work with AD authenticated users². I was not able from the tips provided
> to get any further with this.
>
> What I have not been able to have addressed is, if there are no HBAC
> rules, there should be no access, or if there is no Allow_Access rule, no
> one should be able to login to any system. Currently with this said
> configuration, everyone has access to every system. My pam stack is
> exactly as recommended. Is there someone who has FreeIPA with active
> directory authenticated users and HBAC working? I don¹t have trust
> defined with AD but authentication is working fine.
The HBAC checks are done by SSSD. If there are issues SSSD logs would
help to identify the reason. Please see
https://fedorahosted.org/sssd/wiki/Troubleshooting for details. With
respect to HBAC the sssd_pam.log and sssd_your.domain.log are the most
important. Setting debug_level=10 in the [pam] and [domain/...] section
of sssd.conf should produce the most details.
Feel free to send the logs to me directly if you think they may disclose
too many details of your environment on a public mailing-list.
HTH
bye,
Sumit
>
> >From the following link:
> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-gro
> ups.html
> It says in the second paragraph:
>
> "However, Active Directory users cannot be added directly to FreeIPA user
> groups. This means that Active Directory users require special
> configuration in order to access FreeIPA domain resources."
>
> There is then a procedure given to create user groups that work with HBAC.
> I don¹t see how this work help me since adding a user to a group could
> only be used to further allow access to systems, but already have total
> access to all systems by all users.
>
> Thanks for your help!
>
> Warren
>
>
>
>
>
>
> On 1/25/16, 2:47 PM, "Alexander Bokovoy" <abokovoy at redhat.com> wrote:
>
> >On Mon, 25 Jan 2016, Birnbaum, Warren (ETW) wrote:
> >>OK. I have done this and am using the pam stack that is the result of
> >>what you here describe.
> >>
> >>A few threads back you mentioned that this could be a reason why my hbac
> >>are not restricting access. I have no hbac rules currently and any
> >>active
> >>directory user can access any host. Is there something else I could look
> >>at to see why this is happening?
> >https://fedorahosted.org/sssd/wiki/Troubleshooting is your friend.
> >
> >--
> >/ Alexander Bokovoy
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list