[Freeipa-users] HBAC with Active directory group is not working
Ben .T.George
bentech4you at gmail.com
Sat Apr 30 07:24:06 UTC 2016
and here is my sssd debug log from client side
http://pastebin.com/ud2q3FR5
On Sat, Apr 30, 2016 at 10:06 AM, Ben .T.George <bentech4you at gmail.com>
wrote:
> Hi
>
> Adding this this.
>
> in AD i habe added 2 users , ben and jude. In my HBAC rule, i pointed this
> specific external group and (were these users)
>
> but while checking the rule from IPA server using hbactest, both users
> test passes and showing one rol. but in actual only ben can able to login
> to client machine , while jude cannot.
>
> [root at freeipa ~]# ipa hbactest --user *ben at kwttestdc.com.kw
> <ben at kwttestdc.com.kw>* --host client.kwttestdc.com.kw --service sshd
> --------------------
> *Access granted: True*
> --------------------
> Matched rules: test_admins
> Not matched rules: ad_can_login
> Not matched rules: local_admin_can_login
> [root at freeipa ~]# ipa hbactest --user* jude at kwttestdc.com.kw
> <jude at kwttestdc.com.kw>* --host client.kwttestdc.com.kw --service sshd
> --------------------
> *Access granted: True*
> --------------------
> Matched rules: test_admins
> Not matched rules: ad_can_login
> Not matched rules: local_admin_can_login
>
> so my hbac is working partially. How can i fix this.
>
> Regards,
> Ben
>
> On Fri, Apr 29, 2016 at 7:27 PM, Ben .T.George <bentech4you at gmail.com>
> wrote:
>
>> surprisingly i have created some local IPA users and added to same HBAC
>> rule, and removed AD grop ad applied this rule to client, and that got
>> worked.
>>
>> How can i make this AD group with HBAC working?
>>
>> Regards,
>> Ben
>>
>> On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George <bentech4you at gmail.com>
>> wrote:
>>
>>> HI
>>>
>>> If i disable allow_all <https://freeipa.idm.local/ipa/ui/#allow_all> rule,
>>> i cannot able to login to client machine.
>>>
>>> On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George <bentech4you at gmail.com>
>>> wrote:
>>>
>>>> HI
>>>>
>>>> actually i have added Domain Admins and the user ben is not part of
>>>> Domain Admins. But when i login to client machine, i am getting below
>>>>
>>>> -sh-4.2$ id
>>>> uid=1827801104(ben at kwttestdc.com.kw) gid=1827801104(
>>>> ben at kwttestdc.com.kw) groups=1827801104(ben at kwttestdc.com.kw
>>>> ),1827800513(*domain users at kwttestdc.com.kw <users at kwttestdc.com.kw>*),1827801105(sudo
>>>> admins at kwttestdc.com.kw)
>>>>
>>>>
>>>>
>>>> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George <bentech4you at gmail.com>
>>>> wrote:
>>>>
>>>>> HI
>>>>>
>>>>> while explaning here it went wrong. actually i did is"
>>>>> Added external group to POSIX group"
>>>>>
>>>>> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhrozek at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote:
>>>>>> > HI,
>>>>>> >
>>>>>> > "The other is that the groups might not show up on the client (do
>>>>>> they?)"
>>>>>>
>>>>>> id $user.
>>>>>>
>>>>>> But I think Alexander noticed the root cause.
>>>>>>
>>>>>> >
>>>>>> > how can i check that.
>>>>>> >
>>>>>> > Thanks
>>>>>> > Ben
>>>>>> >
>>>>>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhrozek at redhat.com>
>>>>>> wrote:
>>>>>> >
>>>>>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote:
>>>>>> > > > Hi List,
>>>>>> > > >
>>>>>> > > > I have working setup of one AD, one IPA server and one client
>>>>>> server. by
>>>>>> > > > default i can login to client server by using AD username.
>>>>>> > > >
>>>>>> > > > i want to apply HBAC rules against this client server. For that
>>>>>> i have
>>>>>> > > done
>>>>>> > > > below steps.
>>>>>> > > >
>>>>>> > > > 1. created External group in IPA erver
>>>>>> > > > 2. created local POSIX group n IPA server
>>>>>> > > > 3. Added AD group to external group
>>>>>> > > > 4. added POSIX group to external group.
>>>>>> > > >
>>>>>> > > > After that have created HBAC rule by adding both local and
>>>>>> external IPA
>>>>>> > > > groups, added sshd as service and selected service group as
>>>>>> sudo.
>>>>>> > > >
>>>>>> > > > i have applied this HBAC rule to client server and from web UI
>>>>>> and while
>>>>>> > > > testing HBAC from web, i am getting access denied .
>>>>>> > >
>>>>>> > > Sorry, not enough info.
>>>>>> > >
>>>>>> > > One guess would be that you need to add the "sudo-i" service as
>>>>>> well.
>>>>>> > > The other is that the groups might not show up on the client (do
>>>>>> they?)
>>>>>> > >
>>>>>> > > Anyway, it might be good idea to follow
>>>>>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting
>>>>>> > >
>>>>>> > > --
>>>>>> > > Manage your subscription for the Freeipa-users mailing list:
>>>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>> > > Go to http://freeipa.org for more info on the project
>>>>>> > >
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160430/63b5bfca/attachment.htm>
More information about the Freeipa-users
mailing list