[Freeipa-users] HBAC rules don't work with PAM - problem
Jan Pazdziora
jpazdziora at redhat.com
Mon May 11 12:05:15 UTC 2015
On Mon, May 11, 2015 at 01:57:38PM +0200, Jakub Hrozek wrote:
> On Mon, May 11, 2015 at 01:19:01PM +0200, Vangass wrote:
> > Hello,
> >
> > I have a problem with HBAC rules with conjunction with PAM authentication.
> > What I try to do is to authenticate users: tac_plus - PAM (pam_sssd) -
> > FreeIPA.
> > It works just fine but without checking HBAC rules.
> > What I did:
> > - disabled allow_all rule
> > - created new rule with one user and one service (tac_plus)
> > And then, if I try to authenticate another user which is not in above rule
> > then authetication is accepted and this user gets logged in.
> > In logs, what I didn't find is an information about checking HBAC rules...
> > Of course, when I use HBAC Test then everything is correct - one user is
> > granted and another is declined.
> >
> > # cat /etc/pam.d/tac_plus
> > auth required pam_sss.so
> > account required pam_sss.so
>
> If hbactest passes, then we need to see the logs, /var/log/secure and
> SSSD logs. Also the sssd.conf, please.
Also, how did you configure that tac_plus PAM service should be used?
How do you try to access the machine / service?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-users
mailing list