[Freeipa-users] HBAC and AD users
Lachlan Musicman
datakid at gmail.com
Mon Jul 11 06:55:37 UTC 2016
On 11 July 2016 at 16:44, Alexander Bokovoy <abokovoy at redhat.com> wrote:
> On Mon, 11 Jul 2016, Lachlan Musicman wrote:
>
>> Hola,
>>
>> Centos 7, up to date.
>>
>> [root at linuxidm ~]# ipa --version
>> VERSION: 4.2.0, API_VERSION: 2.156
>>
>> One way trust is successfully established, can login with
>>
>> ssh username at domain1.com@server1.domain2.com
>>
>> Am testing to get HBAC to work.
>>
>> I've noticed that with the Allow All rule in effect, the following set up
>> is sufficient:
>>
>> add external group "ad_external"
>> add internal group, "ad_internal", add ad_external as a group member of
>> ad_internal
>>
>> AD users can now successfully login to any server.
>>
>> When I tried to set up an HBAC, I couldn't get that set up to work, I
>> needed to complete the extra step of adding AD users explicitly to the
>> "external member" group of the external group.
>>
>> I also note that this seems to be explicitly user based, not group based?
>> IE, I can add lachlan at domain1.com to the external members of ad_external
>> and that works, but adding the group server_admins at domain1.com (as seen
>> in
>> `id lachlan at domain1.com`) doesn't allow all members access.
>>
>> Does that sound correct?
>>
> No, it does not.
> HBAC evaluation and external group merging/resolution is done by SSSD.
> Use https://fedorahosted.org/sssd/wiki/Troubleshooting to produce logs
> that can help understanding what happens there.
>
> What SSSD version do you have on both IPA client and IPA server?
1.13.0 on both client and server.
To be honest, we have ratcheted up the logs and it doesn't help that much.
We just got lots of "unsupported PAM command [249]"
Cheers
L.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160711/9db30d26/attachment.htm>
More information about the Freeipa-users
mailing list