[Freeipa-users] Active Directory users are not controlled by HBAC

Birnbaum, Warren (ETW) Warren.Birnbaum at nike.com
Mon Jan 25 22:05:45 UTC 2016 

My system-auth-ac files looks like:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so




___________________
Warren Birnbaum : Infrastructure Services
Web Automation Engineer
Europe CDT Techn. Operations
Nike Inc. : Mobile +31 6 23902697






On 1/25/16, 1:26 PM, "Birnbaum, Warren (ETW)" <Warren.Birnbaum at nike.com>
wrote:

>Thanks Alexander.  Is there a place where there are example pam stacks
>that work with active directory and hbac?
> 
>___________________
>Warren Birnbaum : Infrastructure Services
>Web Automation Engineer
>Europe CDT Techn. Operations
>Nike Inc. : Mobile +31 6 23902697
>
>
>
>
>
>
>On 1/22/16, 2:44 PM, "Alexander Bokovoy" <abokovoy at redhat.com> wrote:
>
>>On Fri, 22 Jan 2016, Birnbaum, Warren (ETW) wrote:
>>>Thanks for you reply.  I understand what you are saying but don¹t see
>>>how
>>>this would work because Allow_All is my current situation (even with
>>>this
>>>rule disabled).  My understand is you can¹t restrict through a rule,
>>>only
>>>limit.  I am missing something?
>>Yes.
>>
>>First, lack of HBAC rule that allows to access a service means pam_sss
>>will deny access to this service. HBAC rules only give you means to
>>_allow_ access, not to limit it as when no rules are in place,
>>everything is disallowed.  'allow_all' HBAC rule is provided exactly to
>>allow starting with a fresh working ground -- you would then remove
>>'allow_all' rule after creating specific allow rules.
>>
>>Second, while pam_sss evaluates HBAC rules, it is only one module in a
>>PAM stack. There might be other PAM modules that could make own
>>decisions to allow access to a specific service. You need to see what is
>>in your configuration.
>>
>>On RHEL and Fedora we configure PAM stack in such way that apart from
>>root and wheel group the rest is managed by SSSD via pam_sss. If your
>>configuration is different, it is up to you to ensure everything is
>>tightened up.
>>
>>>
>>>
>>>
>>>
>>>On 1/22/16, 1:51 PM, "freeipa-users-bounces at redhat.com on behalf of
>>>Jakub
>>>Hrozek" <freeipa-users-bounces at redhat.com on behalf of
>>>jhrozek at redhat.com>
>>>wrote:
>>>
>>>>On Fri, Jan 22, 2016 at 09:27:40AM +0000, Birnbaum, Warren (ETW) wrote:
>>>>> Hi.
>>>>>
>>>>> I have a been successful using Freeipa 4.1 configuring active
>>>>>directory
>>>>>users and with sudo.  The problem I am having is that the HBAC rules
>>>>>are
>>>>>not applying to my active directory users.  They have access to all
>>>>>systems even if I disable my Allow_ALL rule.  Is there something
>>>>>special
>>>>>I should be doing to domain?
>>>>
>>>>Normally HBAC for AD users should be done through an external group you
>>>>add the AD users or groups to, then add the external group to a regular
>>>>IPA group and reference this IPA group from HBAC rules.
>>>>
>>>>There have been bugs related to external groups resolution, so please
>>>>update to the latest IPA and SSSD packages also.
>>>>
>>>>--
>>>>Manage your subscription for the Freeipa-users mailing list:
>>>>https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>Go to http://freeipa.org for more info on the project
>>>
>>>
>>>-- 
>>>Manage your subscription for the Freeipa-users mailing list:
>>>https://www.redhat.com/mailman/listinfo/freeipa-users
>>>Go to http://freeipa.org for more info on the project
>>
>>-- 
>>/ Alexander Bokovoy
>

More information about the Freeipa-users mailing list