Hi Alexander, Rob
thank you for your hints because it seems that something is working:
No. PAM config is what specifies which modules to use. Your PAM config
used wrong module which does not know anything about HBAC rules.
I've configured my test enviroment like this:
smtp Postfix server:
- /etc/pam.d/smtp (a symlink to /etc/alternatives/mta-pam)
account required pam_sss.so
auth required pam_sss.so
- I start a saslauthd daemon:
saslauthd -d -a pam -O smtp
- I test my test account with CLI (and with Thunderbird)
testsaslauthd -u test -p "test-pwd" -r MY.REALM -s smtp
FreeIPA:
I add a hbac rule "smtp", a service "smtp", a host Group "smtp" (at the
moment there's one server), a User group "smtp". The hbac rule "smtp"
grants UserGroup "smtp" access to HostGroup "smtp" via service "smtp"
From CLI (testsaslauthd) I get
0: NO "authentication failed"
0: OK "Success."
and from thunderbird I manage to sent or not the email depending on
whether or not I add the hbac rule to the test user
but it doesn't work if I try to add the user to the group "smtp".
I see that the user inherits or looses some attributes (ldapsearch, ipa
user-show) but it doesn't work with the group. After I've added the user
to the UserGroup he manages to send email even if I remove him from the
group. Tho only way to reset this (I've tried to remove cache sss_cache
both on client and server) is that I add and remove the hbac rule from
the single user
After this even if I try to remove the user from the group he manages to
send email apart from the rule like if there were some caching (I've
tried to remove cache sss_cache -E on the client).
When I add the user to the UserGroup I see that he is a "indirect
member" of the hbac rule while is a direct member when I add the rule to
him; is there anything different working with groups or may be it a
problem of sssd caching?
thank you
cheers
Stefano
On 2/17/22 15:59, Alexander Bokovoy wrote:
On to, 17 helmi 2022, stefano.antonelli@cnaf wrote:
Hi Alexander
thank you,
On Thu, 2022-02-17 at 16:36 +0200, Alexander Bokovoy wrote:
HBAC rules checks are done by SSSD. You have to use pam_sss, not
pam_krb5. PAM module pam_krb5 is irrelevant here, no wonder it does
not
work for you.
ok, but I do see a module like pam_sss; do you mean using the config
/etc/pam.d/sssd_shadowutils from sssd-common rpm?
No. PAM config is what specifies which modules to use. Your PAM config
used wrong module which does not know anything about HBAC rules.
What pam config file name is used? /etc/pam.d/postfix?
I think it should just be a symlink to /etc/pam.d/system-auth.
the default one for postfix /etc/pam.d/smtp
Your /etc/pam.d/smtp should ideally be a symlink to system-auth, unless
it adds something different on top of it. If so, it should be including
system-auth instead. But I think a symlink should be just fine.
thank you
cheers
Stefano
> 4) krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = MY.REALM
> dns_lookup_realm = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
> default_realm = MY.REALM
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> MY.REALM = {
> kdc = myipa.realm
> kdc = myipa-01.realm
> kdc = myipa-02.realm
> admin_server = myipa.realm
> }
>
> [domain_realm]
> .MYREALM = MYREALM
> MYREALM = MYREALM
>
> It works for authentication via FreeIPA but, at the moment, HBAC
> roles
> are still not working.
>
> Is this type of "Postfix, SASL, PAM" authentication that you meant?
>
> thank you
> cheers
> Stefano
>
> Il 2022-02-16 14:47 Rob Crittenden ha scritto:
> > stefano.antonelli@cnaf via FreeIPA-users wrote:
> > > Dear FreeIPA users
> > >
> > > I have a three nodes installation (version 4.6.8, CentOS
> > > 7.9.2009)
> > > and
> > > I'm trying to manage users and hosts in order to allow them to
> > > send
> > > emails; I've retrieved host keytab from ipa servers and
> > > configured
> > > host
> > > krb5.conf to ipa servers;
> > >
> > > I've a test user on FreeIPA (or, in future, User groups) and an
> > > smtp
> > > server (postfix; or in future Host groups) and a smtp service
> > > smtp/hostname@REALM
> > >
> > > I'd like to configure an HBAC rule in order to:
> > >
> > > 1) allow the group of user to send email via the smtp server
> > > 2) ban the user to send email removing him/her from the user
> > > group
> > >
> > > but there is something that's not working, I've made two tests
> > > (user
> > > in
> > > User group and deleted from User group) and in both cases the
> > > user
> > > is
> > > able to send email from his client (I attach the output of some
> > > ipa
> > > commands)
> > >
> > > Beside, I've tried to add a HBAC service "smtp" (even if I do
> > > not
> > > understand its real use, if its a "only" a tag) and a HBAC
> > > Service
> > > group but nothing has changed. At the moment I don't realize
> > > where
> > > I'm
> > > wrong even looking at some log files,
> > >
> > > thank you
> > > cheers
> > > Stefano
> > >
> > >
> > >
> > > ### 1 user-test in User Group
> > > ipa hbacrule-show smtp
> > > Rule name: smtp
> > > Service category: all
> > > Description: Regola di accesso ai server smtp
> > > Enabled: TRUE
> > > User Groups: smtp
> > > Host Groups: smtp
> > >
> > > ipa user-show user-test
> > > Member of groups: smtp
> > > Indirect Member of HBAC rule: smtp
> > >
> > > ipa hbactest --user=user-test --host=host.domain --service=all
> > > --------------------
> > > Access granted: True
> > > --------------------
> > > Matched rules: smtp-cnaf
> > >
> > > ### 2 user-test deleted from User Group
> > >
> > > ipa hbactest --user=user-test --host=host.domain --service=all
> > > ---------------------
> > > Access granted: False
> > > ---------------------
> > > Not matched rules: smtp-cnaf
> >
> > HBAC services are PAM services. If the
> > authentication/authorization/session is going through PAM then
> > this
> > can
> > work. I have some vague memory of saslauthd and postfix using
> > PAM.
> >
> > rob
>
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to
> [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
