<html><body><div style="color:#000; background-color:#fff; font-family:bookman old style, new york, times, serif;font-size:13px"><div></div>Ah I would love to help but have only been a Unix sysadmin for a couple years now (came from Windows side of house) and have little coding ability. Still happy to help in any way I can though if you can find a place/need for me. You have all been very helpful to me so I would like to give back if I can. <div id="yui_3_16_0_1_1440008615329_2672" style="font-family: bookman old style, new york, times, serif; font-size: 13px;"> <div id="yui_3_16_0_1_1440008615329_2671" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1440008615329_2670" dir="ltr"> <hr size="1" id="yui_3_16_0_1_1440008615329_2669"> From: Jakub Hrozek <jhrozek@redhat.com> To: Martin Kosek <mkosek@redhat.com> Cc: Freeipa-users <freeipa-users@redhat.com> Sent: Wednesday, August 19, 2015 12:23 AM Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients </div> <div class="y_msg_container" id="yui_3_16_0_1_1440008615329_2686"> On Tue, Aug 18, 2015 at 09:05:14PM +0200, Martin Kosek wrote: > On 08/15/2015 07:05 PM, Natxo Asenjo wrote: > > > > > >On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" shape="rect" ymailto="mailto:rcritten@redhat.com">rcritten@redhat.com</a> > ><mailto:<a href="mailto:rcritten@redhat.com" shape="rect" ymailto="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>> wrote: > > > > sipazzo wrote: > > > > > > and my users are able to authenticate to the directory but the hbac > > rules are not being applied. Any user whether given access or not can > > login to the Solaris systems. The "allow-all" rule has been disabled, my > > nsswitch.conf file looks good and I have tried different configs of > > pam.d, including the provided example to try to resolve the issue. Am I > > missing some steps? > > > > > > HBAC enforcement is provided by sssd so doesn't work in Solaris. > > > > > >one might try using solaris' RBAC system: > > > ><a id="yui_3_16_0_1_1440008615329_2687" href="http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html" target="_blank" shape="rect">http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html</a> > > > >You would have to distribute your changes to all solaris systems. > > > >There is a RBAC ldap schema > ><a href="http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html" target="_blank" shape="rect">http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html </a>for solaris, > >but I have never tried using it with freeipa. > > > >-- > >Groeten, > >natxo > > Alternatively, you can also contribute to Jakub Hrozek's pam_hbac project: > > <a href="https://github.com/jhrozek/pam_hbac" target="_blank" shape="rect">https://github.com/jhrozek/pam_hbac</a> btw I have quite a few changes from the last weeks, so yes, I'm still working on this, but the progress is slow, RHEL maintenance tends to eat most time..<div class="qtdSeparateBR"> </div><div class="yqt2864356393" id="yqtfd98516"> -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank" shape="rect">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org/" target="_blank" shape="rect">http://freeipa.org </a>for more info on the project </div> </div> </div> </div> </div></body></html>