On to, 17 helmi 2022, stefano.antonelli@cnaf wrote:
Hi Alexander
thank you,
On Thu, 2022-02-17 at 16:36 +0200, Alexander Bokovoy wrote:
> HBAC rules checks are done by SSSD. You have to use pam_sss, not
> pam_krb5. PAM module pam_krb5 is irrelevant here, no wonder it does
> not
> work for you.
>
ok, but I do see a module like pam_sss; do you mean using the config
/etc/pam.d/sssd_shadowutils from sssd-common rpm?
No. PAM config is what specifies which modules to use. Your PAM config
used wrong module which does not know anything about HBAC rules.
>
> What pam config file name is used? /etc/pam.d/postfix?
> I think it should just be a symlink to /etc/pam.d/system-auth.
>
the default one for postfix /etc/pam.d/smtp
Your /etc/pam.d/smtp should ideally be a symlink to system-auth, unless
it adds something different on top of it. If so, it should be including
system-auth instead. But I think a symlink should be just fine.
thank you
cheers
Stefano
>
> > 4) krb5.conf
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> >
> > [libdefaults]
> > default_realm = MY.REALM
> > dns_lookup_realm = false
> > ticket_lifetime = 24h
> > renew_lifetime = 7d
> > forwardable = true
> > rdns = false
> > pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
> > default_realm = MY.REALM
> > default_ccache_name = KEYRING:persistent:%{uid}
> >
> > [realms]
> > MY.REALM = {
> > kdc = myipa.realm
> > kdc = myipa-01.realm
> > kdc = myipa-02.realm
> > admin_server = myipa.realm
> > }
> >
> > [domain_realm]
> > .MYREALM = MYREALM
> > MYREALM = MYREALM
> >
> > It works for authentication via FreeIPA but, at the moment, HBAC
> > roles
> > are still not working.
> >
> > Is this type of "Postfix, SASL, PAM" authentication that you meant?
> >
> > thank you
> > cheers
> > Stefano
> >
> > Il 2022-02-16 14:47 Rob Crittenden ha scritto:
> > > stefano.antonelli@cnaf via FreeIPA-users wrote:
> > > > Dear FreeIPA users
> > > >
> > > > I have a three nodes installation (version 4.6.8, CentOS
> > > > 7.9.2009)
> > > > and
> > > > I'm trying to manage users and hosts in order to allow them to
> > > > send
> > > > emails; I've retrieved host keytab from ipa servers and
> > > > configured
> > > > host
> > > > krb5.conf to ipa servers;
> > > >
> > > > I've a test user on FreeIPA (or, in future, User groups) and an
> > > > smtp
> > > > server (postfix; or in future Host groups) and a smtp service
> > > > smtp/hostname@REALM
> > > >
> > > > I'd like to configure an HBAC rule in order to:
> > > >
> > > > 1) allow the group of user to send email via the smtp server
> > > > 2) ban the user to send email removing him/her from the user
> > > > group
> > > >
> > > > but there is something that's not working, I've made two
tests
> > > > (user
> > > > in
> > > > User group and deleted from User group) and in both cases the
> > > > user
> > > > is
> > > > able to send email from his client (I attach the output of some
> > > > ipa
> > > > commands)
> > > >
> > > > Beside, I've tried to add a HBAC service "smtp" (even if
I do
> > > > not
> > > > understand its real use, if its a "only" a tag) and a HBAC
> > > > Service
> > > > group but nothing has changed. At the moment I don't realize
> > > > where
> > > > I'm
> > > > wrong even looking at some log files,
> > > >
> > > > thank you
> > > > cheers
> > > > Stefano
> > > >
> > > >
> > > >
> > > > ### 1 user-test in User Group
> > > > ipa hbacrule-show smtp
> > > > Rule name: smtp
> > > > Service category: all
> > > > Description: Regola di accesso ai server smtp
> > > > Enabled: TRUE
> > > > User Groups: smtp
> > > > Host Groups: smtp
> > > >
> > > > ipa user-show user-test
> > > > Member of groups: smtp
> > > > Indirect Member of HBAC rule: smtp
> > > >
> > > > ipa hbactest --user=user-test --host=host.domain --service=all
> > > > --------------------
> > > > Access granted: True
> > > > --------------------
> > > > Matched rules: smtp-cnaf
> > > >
> > > > ### 2 user-test deleted from User Group
> > > >
> > > > ipa hbactest --user=user-test --host=host.domain --service=all
> > > > ---------------------
> > > > Access granted: False
> > > > ---------------------
> > > > Not matched rules: smtp-cnaf
> > >
> > > HBAC services are PAM services. If the
> > > authentication/authorization/session is going through PAM then
> > > this
> > > can
> > > work. I have some vague memory of saslauthd and postfix using
> > > PAM.
> > >
> > > rob
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to
> > freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
> >
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> >
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> >
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > Do not reply to spam on the list, report it:
> >
https://pagure.io/fedora-infrastructure
>
>
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland