[Freeipa-users] HBAC and SUDO rules for legacy clients
Srdjan Dutina
sdutina at gmail.com
Tue Apr 21 08:07:58 UTC 2015
Yes, it does. Thank you.
On Mon, Apr 20, 2015 at 6:08 PM Srdjan Dutina <sdutina at gmail.com> wrote:
> Sorry for misunderstanding.
>
> I understand HBAC rules will not work for Centos 5. I just wanted to make
> sure disabling "allow all" rule and adding new HBAC rules won't interfere
> with AD users logging on Centos 5.
>
> On Mon, Apr 20, 2015 at 5:03 PM Alexander Bokovoy <abokovoy at redhat.com>
> wrote:
>
>> On Mon, 20 Apr 2015, Srdjan Dutina wrote:
>> >Just found in
>> >http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf the next
>> >sentence: "If you have HBAC's allow_all rule disabled, you will need to
>> >allow system-auth service on the FreeIPA master, so that authentication
>> of
>> >the AD users can be performed."
>> >Is this true for FreeIPA 4.1.0 also and how could I do this?
>> Either you are reading it wrong or I don't get where you want to apply
>> HBAC rules because this is for IPA masters, not legacy clients per se.
>> Yes, you nede to create HBAC service named 'system-auth' and grant
>> access to it to AD users on IPA masters, but all it will allow you is to
>> authenticate AD users via compat tree.
>>
>> If your RHEL5 SSSD clients attempt to run own HBAC rule checks, AD users
>> cannot be checked by those rules.
>>
>>
>>
>> --
>> / Alexander Bokovoy
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150421/6971a318/attachment.htm>
More information about the Freeipa-users
mailing list