[Freeipa-users] Active Directory users are not controlled by HBAC
Jakub Hrozek
jhrozek at redhat.com
Fri Jan 22 12:51:55 UTC 2016
On Fri, Jan 22, 2016 at 09:27:40AM +0000, Birnbaum, Warren (ETW) wrote:
> Hi.
>
> I have a been successful using Freeipa 4.1 configuring active directory users and with sudo. The problem I am having is that the HBAC rules are not applying to my active directory users. They have access to all systems even if I disable my Allow_ALL rule. Is there something special I should be doing to domain?
Normally HBAC for AD users should be done through an external group you
add the AD users or groups to, then add the external group to a regular
IPA group and reference this IPA group from HBAC rules.
There have been bugs related to external groups resolution, so please
update to the latest IPA and SSSD packages also.
More information about the Freeipa-users
mailing list