[Freeipa-users] Is sssd currently useable with freeipa v2 ?

Rob Crittenden rcritten at redhat.com
Sun May 2 02:43:22 UTC 2010 

Oliver Burtchen wrote:
> Hi Stephen,
> 
> I nailed the problem now a little bit down. I think it's HBAC with it's empty 
> rules in the standard configuration. For me it was hard to recognize that it 
> prevents every user added with "ipa user-add" from logging in the server or 
> joined machines (via ssh or console). When I do a "ipa-client-install --on-
> master --permit" everthing works fine. Without the "--permit" I always get a 
> access denied via pam-configuration.
> 
> Are there any documentations ready for reading/review for HBAC with freeipa? 
> At least it would be nice to have some short docu what is necessary. Could you 
> lead me a little bit?

You need at least sssd 1.1.1 for hbac to work. I just added a tiny bit 
of documentation on this yesterday at 
http://freeipa.org/page/CLI_Overview#hbac

It might point you in the right direction anyway. I hope to have more 
thorough documentation on it available soon.

The default configuration in hbac uses the model "denied unless 
explicitly allowed" which is why all your logins failed. We don't 
currently have any default rules set up, I wonder if we should have some 
basic ones for demonstration purposes and to sort of bootstrap things.

rob

> 
> And thanks for your explanation about the sssd and sssd12 branch/repo at 
> jdennis. It makes the difference very clear to me and I now use the sssd12 for 
> testing (just to calm down a little bit   ;-) . Maybe a little readme.txt with 
> your explanation would be quite nice on the server, so other people don't have 
> to ask again.
> 
> Best regards,
> Oli
> 
> 
> Am Mittwoch, 21. April 2010 22:41:53 schrieb Stephen Gallagher:
>> On 04/21/2010 02:53 PM, Oliver Burtchen wrote:
>>> Hi Stephen,
>>>
>>> thanks for the answer. Yes, I used the ipa-client-install tool. But I had 
> first
>>> patched in this fix
>>>
>>> https://www.redhat.com/archives/freeipa-devel/2010-April/msg00004.html
>>>
>>> from Rob to get 'join' working again. Well, living at the bleeding edge.  
> ;-)
>>> I'll see if I can nail the problem down.
>> You may find the debug logs in /var/log/sssd/. At their default settings 
>> (level 0) these logs will display only critical errors. But if you need 
>> more information, you can turn up the debug_level in the 
>> /etc/sssd/sssd.conf file and restart the SSSD. Then your debug logs will 
>> fill up fairly quickly.
>>
>> Btw., what's the difference between
>>> the sssd and sssd12 repos at jdennis? What is the most recent one, whats 
> best
>>> to use with the ipa-devel repo?
>>>
>> We split the development of 1.2 off into it's own branch. Builds from 
>> that branch are put into the sssd12 repo. We're aiming to release 1.2.0 
>> at the beginning of May. So that's the branch targeted towards our next 
>> public release. We did this so we could put the finishing touches on 
>> SSSD 1.2 while those of us who have completed their 1.2 tasks can move 
>> ahead.
>>
>> The sssd repo contains our more experimental changes (for example, the 
>> internal cache interface was completely rewritten). These are the 
>> changes that will be forthcoming in sssd 1.3 sometime this summer.
>>
>> So your choices are:
>> sssd12: Stabilizing towards release
>> sssd: Hang on for dear life(*)
>>
>>
>>
>> (*) I usually run on this branch - eating my own dogfood, as it were - 
>> though we make no guarantees that it won't break.
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>

More information about the Freeipa-users mailing list