Thank you both. Turning off allow_all did the trick. Now everything works perfectly.
This tool rocks! Thanks, Joe -----Original Message----- From: Stephen Gallagher [mailto:[email protected]] Sent: Monday, June 04, 2012 5:10 AM To: Martin Kosek Cc: Joe Linoff; [email protected] Subject: Re: [Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts On Mon, 2012-06-04 at 08:39 +0200, Martin Kosek wrote: > On Sat, 2012-06-02 at 06:52 -0700, Joe Linoff wrote: > > Hi: > > > > > > > > I am a newbie that is trying out FreeIPA for the first time. So far > > I am extremely impressed with this system but I ran into a problem > > that I need some help with. I am trying to figure out how to HBAC to > > restrict a set of users to a specific set of hosts but I am not > > having any success. > > > > > > > > Here is the problem statement: > > > > > > > > I have 2 users: “user1” and “user2” that should only be able to > > access the host “foobar” on my network. There are many other > > possible hosts (like “wombat”) that they cannot access. They can > > login from anywhere using “ssh”. > > > > > > > > The goal is to restrict students to a specific set of machines. > > > > > > > > What I tried to do was this: > > > > > > > > 1. Create a user group called “restricted-users” which I could > > add users to. > > > > 2. Create a HBAC rule named “restricted-users” that > > > > a. Defines the host I want to allow them access to > > (“restricted-host”). > > > > b. Defines the user group that is affected by this rule > > (“restricted-users”). > > > > c. Defines the services they are allowed to use on that host > > (including login). > > > > 3. Create a user named “user1” that is enrolled in the > > “restricted-users” group. > > > > > > > > I then tried this experiment: > > > > > > > > 1. ssh –Y user1@foobar > > > > a. It worked like a charm. The login worked correctly. > > > > 2. ssh –Y user1@wombad > > > > a. It also worked like a charm but in this case it was undesired > > behavior. > > > > > > > > I am sure that I am missing something really obvious. Any help would > > be greatly appreciated. > > > > > > > > Errata: > > > > 1. OS: CentOS 6.2 > > > > 2. FreeIPA: v2.1.3 (9el6) > > > > > > > > Thank you, > > > > > > > > Joe > > > > Hello Joe, > > did you disable default allow_all HBAC rule? > > # ipa hbacrule-show allow_all > Rule name: allow_all > User category: all > Host category: all > Source host category: all > Service category: all > Description: Allow all users to access any host from any host > Enabled: TRUE > > With this rule disabled, the policy you described should be properly > enforced. When testing HBAC rules you may want to try CLI and Web UI > interface to hbactest command, which can help you to test who can use > what service on which machine and also which rules did match when the > access was allowed. If you're still experiencing problems after disabling the default allow_all rule, please submit the relevant section of /var/log/secure so we can see if anything peculiar is occurring in the PAM authentication and authorization. _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
