[Freeipa-users] HBAC rules take in effect on IPA clients immediately after installation?

[Jakub Hrozek]

On Fri, May 18, 2012 at 02:27:15PM -0700, Gelen James wrote:
>    Hi all,
>     Just like to clarify my confusion: Are the HBAC (Host Based Access
>    Control) rules immediately in effect after IPA client software
>    configurations through sssd? Do we have any options inside sssd.conf to
>    enable/disable the HBAC rules per machine (inside IPA domain)? I have this
>    question because some important servers needs to be available all the
>    time, even badly written HBAC rules could block access to all other
>    servers.
>     Another very close question is: what are the scenarios to use  '--permit'
>    option to 'ipa-client-install'? the manual says 'Configure SSSD to permit
>    all access. Otherwise the machine will be controlled by the Host-based
>    Access Controls (HBAC) on the IPA server.'. So is this the solution to the
>    above problem? 
>     Thanks a lot.
>    --Gelen

Yes, passing --permit to ipa-client install is the solution to your
problem.

What it does under the hood is setting access_provider = permit in the
sssd.conf, which means "always allow access". See man sssd.conf(5) for
more information on the default access providers.