On to, 17 helmi 2022, stefano.antonelli@cnaf wrote:
Hi Alexander
thank you,
On Thu, 2022-02-17 at 16:36 +0200, Alexander Bokovoy wrote:
HBAC rules checks are done by SSSD. You have to use pam_sss, not
pam_krb5. PAM module pam_krb5 is irrelevant here, no wonder it does
not
work for you.
ok, but I do see a module like pam_sss; do you mean using the config
/etc/pam.d/sssd_shadowutils from sssd-common rpm?
No. PAM config is what specifies which modules to use. Your PAM config
used wrong module which does not know anything about HBAC rules.
What pam config file name is used? /etc/pam.d/postfix?
I think it should just be a symlink to /etc/pam.d/system-auth.
the default one for postfix /etc/pam.d/smtp
Your /etc/pam.d/smtp should ideally be a symlink to system-auth, unless
it adds something different on top of it. If so, it should be including
system-auth instead. But I think a symlink should be just fine.
thank you
cheers
Stefano
> 4) krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = MY.REALM
> dns_lookup_realm = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
> default_realm = MY.REALM
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> MY.REALM = {
> kdc = myipa.realm
> kdc = myipa-01.realm
> kdc = myipa-02.realm
> admin_server = myipa.realm
> }
>
> [domain_realm]
> .MYREALM = MYREALM
> MYREALM = MYREALM
>
> It works for authentication via FreeIPA but, at the moment, HBAC
> roles
> are still not working.
>
> Is this type of "Postfix, SASL, PAM" authentication that you meant?
>
> thank you
> cheers
> Stefano
>
> Il 2022-02-16 14:47 Rob Crittenden ha scritto:
> > stefano.antonelli@cnaf via FreeIPA-users wrote:
> > > Dear FreeIPA users
> > >
> > > I have a three nodes installation (version 4.6.8, CentOS
> > > 7.9.2009)
> > > and
> > > I'm trying to manage users and hosts in order to allow them to
> > > send
> > > emails; I've retrieved host keytab from ipa servers and
> > > configured
> > > host
> > > krb5.conf to ipa servers;
> > >
> > > I've a test user on FreeIPA (or, in future, User groups) and an
> > > smtp
> > > server (postfix; or in future Host groups) and a smtp service
> > > smtp/hostname@REALM
> > >
> > > I'd like to configure an HBAC rule in order to:
> > >
> > > 1) allow the group of user to send email via the smtp server
> > > 2) ban the user to send email removing him/her from the user
> > > group
> > >
> > > but there is something that's not working, I've made two tests
> > > (user
> > > in
> > > User group and deleted from User group) and in both cases the
> > > user
> > > is
> > > able to send email from his client (I attach the output of some
> > > ipa
> > > commands)
> > >
> > > Beside, I've tried to add a HBAC service "smtp" (even if I do
> > > not
> > > understand its real use, if its a "only" a tag) and a HBAC
> > > Service
> > > group but nothing has changed. At the moment I don't realize
> > > where
> > > I'm
> > > wrong even looking at some log files,
> > >
> > > thank you
> > > cheers
> > > Stefano
> > >
> > >
> > >
> > > ### 1 user-test in User Group
> > > ipa hbacrule-show smtp
> > > Rule name: smtp
> > > Service category: all
> > > Description: Regola di accesso ai server smtp
> > > Enabled: TRUE
> > > User Groups: smtp
> > > Host Groups: smtp
> > >
> > > ipa user-show user-test
> > > Member of groups: smtp
> > > Indirect Member of HBAC rule: smtp
> > >
> > > ipa hbactest --user=user-test --host=host.domain --service=all
> > > --------------------
> > > Access granted: True
> > > --------------------
> > > Matched rules: smtp-cnaf
> > >
> > > ### 2 user-test deleted from User Group
> > >
> > > ipa hbactest --user=user-test --host=host.domain --service=all
> > > ---------------------
> > > Access granted: False
> > > ---------------------
> > > Not matched rules: smtp-cnaf
> >
> > HBAC services are PAM services. If the
> > authentication/authorization/session is going through PAM then
> > this
> > can
> > work. I have some vague memory of saslauthd and postfix using
> > PAM.
> >
> > rob
>
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to
> [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
