I started this post with a simple question: ³is it possible to have HBAC work with AD authenticated users². I was not able from the tips provided to get any further with this.
What I have not been able to have addressed is, if there are no HBAC rules, there should be no access, or if there is no Allow_Access rule, no one should be able to login to any system. Currently with this said configuration, everyone has access to every system. My pam stack is exactly as recommended. Is there someone who has FreeIPA with active directory authenticated users and HBAC working? I don¹t have trust defined with AD but authentication is working fine. >From the following link: https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-gro ups.html It says in the second paragraph: "However, Active Directory users cannot be added directly to FreeIPA user groups. This means that Active Directory users require special configuration in order to access FreeIPA domain resources." There is then a procedure given to create user groups that work with HBAC. I don¹t see how this work help me since adding a user to a group could only be used to further allow access to systems, but already have total access to all systems by all users. Thanks for your help! Warren On 1/25/16, 2:47 PM, "Alexander Bokovoy" <[email protected]> wrote: >On Mon, 25 Jan 2016, Birnbaum, Warren (ETW) wrote: >>OK. I have done this and am using the pam stack that is the result of >>what you here describe. >> >>A few threads back you mentioned that this could be a reason why my hbac >>are not restricting access. I have no hbac rules currently and any >>active >>directory user can access any host. Is there something else I could look >>at to see why this is happening? >https://fedorahosted.org/sssd/wiki/Troubleshooting is your friend. > >-- >/ Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
