[Freeipa-users] Active Directory users are not controlled by HBAC

[Birnbaum, Warren (ETW)]

I started this post with a simple question:  ³is it possible to have HBAC
work with AD authenticated users².  I was not able from the tips provided
to get any further with this.

What I have not been able to have addressed is, if there are no HBAC
rules, there should be no access, or if there is no Allow_Access rule, no
one should be able to login to any system.  Currently with this said
configuration, everyone has access to every system.  My pam stack is
exactly as recommended.  Is there someone who has FreeIPA with active
directory authenticated users and HBAC working?  I don¹t have trust
defined with AD but authentication is working fine.

>From the following link:
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-gro
ups.html
It says in the second paragraph:

"However, Active Directory users cannot be added directly to FreeIPA user
groups. This means that Active Directory users require special
configuration in order to access FreeIPA domain resources."

There is then a procedure given to create user groups that work with HBAC.
 I don¹t see how this work help me since adding a user to a group could
only be used to further allow access to systems, but already have total
access to all systems by all users.

Thanks for your help!

Warren






On 1/25/16, 2:47 PM, "Alexander Bokovoy" <abokovoy at redhat.com> wrote:

>On Mon, 25 Jan 2016, Birnbaum, Warren (ETW) wrote:
>>OK.  I have done this and am using the pam stack that is the result of
>>what you here describe.
>>
>>A few threads back you mentioned that this could be a reason why my hbac
>>are not restricting access.  I have no hbac rules currently and any
>>active
>>directory user can access any host.  Is there something else I could look
>>at to see why this is happening?
>https://fedorahosted.org/sssd/wiki/Troubleshooting is your friend.
>
>-- 
>/ Alexander Bokovoy