<html><body><div style="color:#000; background-color:#fff; font-family:bookman old style, new york, times, serif;font-size:13px"><div id="yui_3_16_0_1_1439835139086_9074">Ok thanks all. I will look into pam_list, integrating with the Solaris RBAC is probably beyond me as I am not that Solaris savvy and there is no documentation on using it with freeipa that I see.</div><div id="yui_3_16_0_1_1439835139086_9280"><br></div><div id="yui_3_16_0_1_1439835139086_9281" dir="ltr">I tried using AllowGroups in sshd_config on Solaris to restrict access but it only seems to work with primary group membership. Is this expected? From reading documentation it should work with secondary/supplementary documentation as well. Let me know if you have found a way around that please.</div><br>  <div id="yui_3_16_0_1_1439835139086_8905" style="font-family: bookman old style, new york, times, serif; font-size: 13px;"> <div id="yui_3_16_0_1_1439835139086_8904" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1439835139086_8903" dir="ltr"> <hr id="yui_3_16_0_1_1439835139086_9003" size="1">  <font id="yui_3_16_0_1_1439835139086_8902" face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b> Bob <harvero@gmail.com><br> <b><span style="font-weight: bold;">To:</span></b> Natxo Asenjo <natxo.asenjo@gmail.com> <br><b><span style="font-weight: bold;">Cc:</span></b> Freeipa-users <freeipa-users@redhat.com> <br> <b><span style="font-weight: bold;">Sent:</span></b> Saturday, August 15, 2015 10:46 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [Freeipa-users] HBAC rules not applying to Solaris clients<br> </font> </div> <div id="yui_3_16_0_1_1439835139086_8906" class="y_msg_container"><br><div id="yiv6150558490"><div id="yui_3_16_0_1_1439835139086_8909"><div id="yui_3_16_0_1_1439835139086_8908" dir="ltr"><div id="yui_3_16_0_1_1439835139086_8907"><br clear="none"></div>For Solaris we are using the pam_list module to control which LDAP users can have system access. The pam_list module allow netgroups to be listed in a user.allow file. <br clear="none"></div><div id="yui_3_16_0_1_1439835139086_8911" class="yiv6150558490gmail_extra"><br clear="none"><div id="yui_3_16_0_1_1439835139086_8920" class="yiv6150558490gmail_quote">On Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo <span dir="ltr"><<a rel="nofollow" shape="rect" ymailto="mailto:natxo.asenjo@gmail.com" target="_blank" href="mailto:natxo.asenjo@gmail.com">natxo.asenjo@gmail.com</a>></span> wrote:<br clear="none"><blockquote id="yui_3_16_0_1_1439835139086_8919" class="yiv6150558490gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="qtdSeparateBR"><br><br></div><div class="yiv6150558490yqt0505941846" id="yiv6150558490yqt44449"><div id="yui_3_16_0_1_1439835139086_8918" dir="ltr"><br clear="none"><div id="yui_3_16_0_1_1439835139086_8917" class="yiv6150558490gmail_extra"><br clear="none"><div id="yui_3_16_0_1_1439835139086_8916" class="yiv6150558490gmail_quote">On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden <span dir="ltr"><<a rel="nofollow" shape="rect" ymailto="mailto:rcritten@redhat.com" target="_blank" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>></span> wrote:<br clear="none"><blockquote id="yui_3_16_0_1_1439835139086_8915" class="yiv6150558490gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">sipazzo wrote:<br clear="none">
<blockquote id="yui_3_16_0_1_1439835139086_8914" class="yiv6150558490gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br clear="none">
and my users are able to authenticate to the directory but the hbac<br clear="none">
rules are not being applied. Any user whether given access or not can<br clear="none">
login to the Solaris systems. The "allow-all" rule has been disabled, my<br clear="none">
nsswitch.conf file looks good and I have tried different configs of<br clear="none">
pam.d, including the provided example to try to resolve the issue. Am I<br clear="none">
missing some steps?<br clear="none">
</blockquote>
<br clear="none">
HBAC enforcement is provided by sssd so doesn't work in Solaris.<span><font color="#888888"></font></span><br clear="all"></blockquote></div><br clear="none"></div><div id="yui_3_16_0_1_1439835139086_8924" class="yiv6150558490gmail_extra">one might try using solaris' RBAC system:<br clear="none"><br clear="none"><a id="yui_3_16_0_1_1439835139086_8923" rel="nofollow" shape="rect" target="_blank" href="http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html">http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html</a><br clear="none"><br clear="none"></div><div id="yui_3_16_0_1_1439835139086_8998" class="yiv6150558490gmail_extra">You would have to distribute your changes to all solaris systems.<br clear="none"><br clear="none"></div><div class="yiv6150558490gmail_extra">There is a RBAC ldap schema <a rel="nofollow" shape="rect" target="_blank" href="http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html">http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html</a> for solaris, but I have never tried using it with freeipa. <br clear="none"></div><div id="yui_3_16_0_1_1439835139086_8930" class="yiv6150558490gmail_extra"><br clear="none"><div id="yui_3_16_0_1_1439835139086_8929">--<br clear="none">Groeten,<br clear="none">natxo</div>
</div></div></div>
<br clear="none">--<br clear="none">
Manage your subscription for the Freeipa-users mailing list:<br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br clear="none">
Go to <a rel="nofollow" shape="rect" target="_blank" href="http://freeipa.org/">http://freeipa.org</a> for more info on the project<br clear="none"></blockquote></div><br clear="none"></div></div></div><br><div class="yqt0505941846" id="yqt50360">-- <br clear="none">Manage your subscription for the Freeipa-users mailing list:<br clear="none"><a shape="rect" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br clear="none">Go to <a shape="rect" href="http://freeipa.org/" target="_blank">http://freeipa.org </a>for more info on the project</div><br><br></div> </div> </div>  </div></body></html>