[Freeipa-users] HBAC and AD users

Sumit Bose sbose at redhat.com
Mon Jul 11 07:15:38 UTC 2016 

On Mon, Jul 11, 2016 at 04:55:37PM +1000, Lachlan Musicman wrote:
> On 11 July 2016 at 16:44, Alexander Bokovoy <abokovoy at redhat.com> wrote:
> 
> > On Mon, 11 Jul 2016, Lachlan Musicman wrote:
> >
> >> Hola,
> >>
> >> Centos 7, up to date.
> >>
> >> [root at linuxidm ~]# ipa --version
> >> VERSION: 4.2.0, API_VERSION: 2.156
> >>
> >> One way trust is successfully established, can login with
> >>
> >> ssh username at domain1.com@server1.domain2.com
> >>
> >> Am testing to get HBAC to work.
> >>
> >> I've noticed that with the Allow All rule in effect, the following set up
> >> is sufficient:
> >>
> >> add external group "ad_external"
> >> add internal group, "ad_internal", add ad_external as a group member of
> >> ad_internal
> >>
> >> AD users can now successfully login to any server.
> >>
> >> When I tried to set up an HBAC, I couldn't get that set up to work, I
> >> needed to complete the extra step of adding AD users explicitly to the
> >> "external member" group of the external group.

yes, this is expected you either have to add AD users or groups to the
external groups.

> >>
> >> I also note that this seems to be explicitly user based, not group based?
> >> IE, I can add lachlan at domain1.com to the external members of ad_external
> >> and that works, but adding the group server_admins at domain1.com (as seen
> >> in
> >> `id lachlan at domain1.com`) doesn't allow all members access.

Since it looks you are using FreeIPA 4.2 you might hit
https://fedorahosted.org/freeipa/ticket/5573 . But SSSD logs, especially
the part where the HBAC rules are evaluated would help to understand the
issue better.

> >>
> >> Does that sound correct?
> >>
> > No, it does not.
> > HBAC evaluation and external group merging/resolution is done by SSSD.
> > Use https://fedorahosted.org/sssd/wiki/Troubleshooting to produce logs
> > that can help understanding what happens there.
> >
> > What SSSD version do you have on both IPA client and IPA server?
> 
> 
> 
> 1.13.0 on both client and server.
> 
> To be honest, we have ratcheted up the logs and it doesn't help that much.
> We just got lots of "unsupported PAM command [249]"

This is unrelated, I assume this happens when trying to store the hashed
password to the cache. This message is remove in newer releases.

bye,
Sumit

> 
> Cheers
> L.

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list