[Freeipa-users] Is sssd currently useable with freeipa v2 ?

Oliver Burtchen o.burtchen at gmx.de
Mon May 3 14:52:52 UTC 2010 

Am Montag, 3. Mai 2010 09:14:26 schrieb Sumit Bose:
> On Sun, May 02, 2010 at 08:41:14PM +0200, Oliver Burtchen wrote:
> > Am Sonntag, 2. Mai 2010 04:43:22 schrieb Rob Crittenden:
> > > Oliver Burtchen wrote:
> > > > Hi Stephen,
> > > >
> > > > I nailed the problem now a little bit down. I think it's HBAC with
> > > > it's empty rules in the standard configuration. For me it was hard to
> > > > recognize that it prevents every user added with "ipa user-add" from
> > > > logging in the server or joined machines (via ssh or console). When I
> > > > do a "ipa-client-install --on- master --permit" everthing works fine.
> > > > Without the "--permit" I always get a access denied via
> > > > pam-configuration.
> > > >
> > > > Are there any documentations ready for reading/review for HBAC with
> > > > freeipa? At least it would be nice to have some short docu what is
> > > > necessary. Could you lead me a little bit?
> > >
> > > You need at least sssd 1.1.1 for hbac to work. I just added a tiny bit
> > > of documentation on this yesterday at
> > > http://freeipa.org/page/CLI_Overview#hbac
> > >
> > > It might point you in the right direction anyway. I hope to have more
> > > thorough documentation on it available soon.
> >
> > Thanks for the hint. Just for the record, here are some more
> > Informations:
> > http://freeipa.org/page/Concepts_and_Objects#Host_Based_Access_Control
> 
> Even more information can be found here:
> http://freeipa.org/page/DS_Design_Summary#HBAC_object
> This page is basically what I used to implement the IPA HBAC rules in
> sssd.

This was exactly the information I needed. Thanks! Also for the examples 
below.

I was completely unaware or rather had no clue what the (srchost/host/user) 
category options are for. Now I got it and it works.


One other cosmetic thing I observed: There are

hbac-add, hbac-add-host, hbac-add-user, ...

but

hbac-del
and
hbac-remove-host, hbac-remove-user, ...

IMHO it would be more consistent to rename the hbac-remove-* commands 
to hbac-del-*


So, at least one more question:  ;-)

What are the exact service-names to use in --service? I know basically they 
are the ones like in /etc/services, or what pam uses. But I noticed that both 
ssh and sshd are applicable for ssh. Is there somewhere a list or do they 
provide it by their selfs, and I can only make a good guess and try.

Best regards,
Oli



> 
> > > The default configuration in hbac uses the model "denied unless
> > > explicitly allowed" which is why all your logins failed. We don't
> > > currently have any default rules set up, I wonder if we should have
> > > some basic ones for demonstration purposes and to sort of bootstrap
> > > things.
> >
> > Well, I played around a little bit and managed to setup rules to allow
> > ssh- login. Now I have some more questions:
> >
> > a) Is it right that I cannot use wildcards or placeholders in the
> > service- name? I tried "all" and "*", but only explicite naming like
> > "ssh" or "sshd" works.
> 
> If the service is empty every service is allowed.
> 
> > b) Is it right, that I have to set host and source-host? For me, it
> > doesn't work if I do not. My first thought was, if it's not set, it
> > should always match.
> 
> Please set the source host category to 'all':
>  ipa hbac-mod --srchostcat=all YOUR_RULE_NAME
> 
> > c) Like a), how to set up a rule for all hosts or source-hosts? Do I have
> > to put them all in a hostgroup? If so, than it would be very handy, if
> > ipa could manage such group automagically for reference.
> 
> There is also a host category and a user category to set:
>  ipa hbac-mod --hostcat=all YOUR_RULE_NAME
>  ipa hbac-mod --usercat=all YOUR_RULE_NAME
> 
> > d) How to setup a rule which restrics services like nfs to the lan (and
> > known hosts), but permits ssh from every machine over the internet
> > (unknown hosts)?
> 
> You will need two rules one for the service sshd and one for nfs.
> 
> > e) Like Simo suggested, finally how to setup an explicit permit all rule
> > for testing?
> 
> ipa hbac-add --type=allow allow_all
> ipa hbac-mod --srchostcat=all allow_all
> ipa hbac-mod --hostcat=all allow_all
> ipa hbac-mod --usercat=all allow_all
> 
> HTH.
> 
> bye,
> Sumit
> 
> > Best regards,
> > Oli
> >
> > > rob
> > >
> > > > And thanks for your explanation about the sssd and sssd12 branch/repo
> > > > at jdennis. It makes the difference very clear to me and I now use
> > > > the sssd12 for testing (just to calm down a little bit   ;-) . Maybe
> > > > a little readme.txt with your explanation would be quite nice on the
> > > > server, so other people don't have to ask again.
> > > >
> > > > Best regards,
> > > > Oli
> > > >
> > > > Am Mittwoch, 21. April 2010 22:41:53 schrieb Stephen Gallagher:
> > > >> On 04/21/2010 02:53 PM, Oliver Burtchen wrote:
> > > >>> Hi Stephen,
> > > >>>
> > > >>> thanks for the answer. Yes, I used the ipa-client-install tool. But
> > > >>> I had
> > > >
> > > > first
> > > >
> > > >>> patched in this fix
> > > >>>
> > > >>> https://www.redhat.com/archives/freeipa-devel/2010-April/msg00004.h
> > > >>>tml
> > > >>>
> > > >>> from Rob to get 'join' working again. Well, living at the bleeding
> > > >>> edge.
> > > >
> > > > ;-)
> > > >
> > > >>> I'll see if I can nail the problem down.
> > > >>
> > > >> You may find the debug logs in /var/log/sssd/. At their default
> > > >> settings (level 0) these logs will display only critical errors. But
> > > >> if you need more information, you can turn up the debug_level in the
> > > >> /etc/sssd/sssd.conf file and restart the SSSD. Then your debug logs
> > > >> will fill up fairly quickly.
> > > >>
> > > >> Btw., what's the difference between
> > > >>
> > > >>> the sssd and sssd12 repos at jdennis? What is the most recent one,
> > > >>> whats
> > > >
> > > > best
> > > >
> > > >>> to use with the ipa-devel repo?
> > > >>
> > > >> We split the development of 1.2 off into it's own branch. Builds
> > > >> from that branch are put into the sssd12 repo. We're aiming to
> > > >> release 1.2.0 at the beginning of May. So that's the branch targeted
> > > >> towards our next public release. We did this so we could put the
> > > >> finishing touches on SSSD 1.2 while those of us who have completed
> > > >> their 1.2 tasks can move ahead.
> > > >>
> > > >> The sssd repo contains our more experimental changes (for example,
> > > >> the internal cache interface was completely rewritten). These are
> > > >> the changes that will be forthcoming in sssd 1.3 sometime this
> > > >> summer.
> > > >>
> > > >> So your choices are:
> > > >> sssd12: Stabilizing towards release
> > > >> sssd: Hang on for dear life(*)
> > > >>
> > > >>
> > > >>
> > > >> (*) I usually run on this branch - eating my own dogfood, as it were
> > > >> - though we make no guarantees that it won't break.
> > > >>
> > > >> _______________________________________________
> > > >> Freeipa-users mailing list
> > > >> Freeipa-users at redhat.com
> > > >> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 

-- 
Oliver Burtchen, Berlin

More information about the Freeipa-users mailing list