[Freeipa-users] HBAC with Active directory group is not working

Ben .T.George bentech4you at gmail.com
Sat Apr 30 07:06:16 UTC 2016 

Hi

Adding this this.

in AD i habe added 2 users , ben and jude. In my HBAC rule, i pointed this
specific external group and (were these users)

but while checking the rule from IPA server using hbactest, both users test
passes and showing one rol. but in actual only ben can able to login to
client machine , while jude cannot.

[root at freeipa ~]# ipa hbactest --user *ben at kwttestdc.com.kw
<ben at kwttestdc.com.kw>* --host client.kwttestdc.com.kw --service sshd
--------------------
*Access granted: True*
--------------------
  Matched rules: test_admins
  Not matched rules: ad_can_login
  Not matched rules: local_admin_can_login
[root at freeipa ~]# ipa hbactest --user* jude at kwttestdc.com.kw
<jude at kwttestdc.com.kw>* --host client.kwttestdc.com.kw --service sshd
--------------------
*Access granted: True*
--------------------
  Matched rules: test_admins
  Not matched rules: ad_can_login
  Not matched rules: local_admin_can_login

so my hbac is working partially. How can i fix this.

Regards,
Ben

On Fri, Apr 29, 2016 at 7:27 PM, Ben .T.George <bentech4you at gmail.com>
wrote:

> surprisingly i have created some local IPA users and added to same HBAC
> rule, and removed AD grop ad applied this rule to client, and that got
> worked.
>
> How can i make this AD group with HBAC working?
>
> Regards,
> Ben
>
> On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George <bentech4you at gmail.com>
> wrote:
>
>> HI
>>
>> If i disable allow_all <https://freeipa.idm.local/ipa/ui/#allow_all> rule,
>> i cannot able to login to client machine.
>>
>> On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George <bentech4you at gmail.com>
>> wrote:
>>
>>> HI
>>>
>>> actually i have added Domain Admins and the user ben is not part of
>>> Domain Admins. But when i login to client machine, i am getting below
>>>
>>> -sh-4.2$ id
>>> uid=1827801104(ben at kwttestdc.com.kw) gid=1827801104(ben at kwttestdc.com.kw)
>>> groups=1827801104(ben at kwttestdc.com.kw),1827800513(*domain
>>> users at kwttestdc.com.kw <users at kwttestdc.com.kw>*),1827801105(sudo
>>> admins at kwttestdc.com.kw)
>>>
>>>
>>>
>>> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George <bentech4you at gmail.com>
>>> wrote:
>>>
>>>> HI
>>>>
>>>> while explaning here it went wrong. actually i did is"
>>>> Added external group to POSIX group"
>>>>
>>>> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhrozek at redhat.com>
>>>> wrote:
>>>>
>>>>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
>>>>> > HI,
>>>>> >
>>>>> > "The other is that the groups might not show up on the client (do
>>>>> they?)"
>>>>>
>>>>> id $user.
>>>>>
>>>>> But I think Alexander noticed the root cause.
>>>>>
>>>>> >
>>>>> > how can i check that.
>>>>> >
>>>>> > Thanks
>>>>> > Ben
>>>>> >
>>>>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhrozek at redhat.com>
>>>>> wrote:
>>>>> >
>>>>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
>>>>> > > > Hi List,
>>>>> > > >
>>>>> > > > I have working setup of one AD, one IPA server and one client
>>>>> server. by
>>>>> > > > default i can login to client server by using AD username.
>>>>> > > >
>>>>> > > > i want to apply HBAC rules against this client server. For that
>>>>> i have
>>>>> > > done
>>>>> > > > below steps.
>>>>> > > >
>>>>> > > > 1. created External group in IPA erver
>>>>> > > > 2. created local POSIX group n IPA server
>>>>> > > > 3. Added AD group to external group
>>>>> > > > 4. added POSIX group to external group.
>>>>> > > >
>>>>> > > > After that  have created HBAC rule by adding both local and
>>>>> external IPA
>>>>> > > > groups, added sshd as service and selected service group as sudo.
>>>>> > > >
>>>>> > > > i have applied this HBAC rule to client server and from web UI
>>>>> and while
>>>>> > > > testing HBAC from web, i am getting access denied .
>>>>> > >
>>>>> > > Sorry, not enough info.
>>>>> > >
>>>>> > > One guess would be that you need to add the "sudo-i" service as
>>>>> well.
>>>>> > > The other is that the groups might not show up on the client (do
>>>>> they?)
>>>>> > >
>>>>> > > Anyway, it might be good idea to follow
>>>>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting
>>>>> > >
>>>>> > > --
>>>>> > > Manage your subscription for the Freeipa-users mailing list:
>>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> > > Go to http://freeipa.org for more info on the project
>>>>> > >
>>>>>
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160430/4fb3e1c3/attachment.htm>

More information about the Freeipa-users mailing list