Hi Alexander
thank you,
On Thu, 2022-02-17 at 16:36 +0200, Alexander Bokovoy wrote:
HBAC rules checks are done by SSSD. You have to use pam_sss, not
pam_krb5. PAM module pam_krb5 is irrelevant here, no wonder it does
not
work for you.
ok, but I do see a module like pam_sss; do you mean using the config
/etc/pam.d/sssd_shadowutils from sssd-common rpm?
What pam config file name is used? /etc/pam.d/postfix?
I think it should just be a symlink to /etc/pam.d/system-auth.
the default one for postfix /etc/pam.d/smtp
thank you
cheers
Stefano
> 4) krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = MY.REALM
> dns_lookup_realm = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
> default_realm = MY.REALM
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> MY.REALM = {
> kdc = myipa.realm
> kdc = myipa-01.realm
> kdc = myipa-02.realm
> admin_server = myipa.realm
> }
>
> [domain_realm]
> .MYREALM = MYREALM
> MYREALM = MYREALM
>
> It works for authentication via FreeIPA but, at the moment, HBAC
> roles
> are still not working.
>
> Is this type of "Postfix, SASL, PAM" authentication that you meant?
>
> thank you
> cheers
> Stefano
>
> Il 2022-02-16 14:47 Rob Crittenden ha scritto:
> > stefano.antonelli@cnaf via FreeIPA-users wrote:
> > > Dear FreeIPA users
> > >
> > > I have a three nodes installation (version 4.6.8, CentOS
> > > 7.9.2009)
> > > and
> > > I'm trying to manage users and hosts in order to allow them to
> > > send
> > > emails; I've retrieved host keytab from ipa servers and
> > > configured
> > > host
> > > krb5.conf to ipa servers;
> > >
> > > I've a test user on FreeIPA (or, in future, User groups) and an
> > > smtp
> > > server (postfix; or in future Host groups) and a smtp service
> > > smtp/hostname@REALM
> > >
> > > I'd like to configure an HBAC rule in order to:
> > >
> > > 1) allow the group of user to send email via the smtp server
> > > 2) ban the user to send email removing him/her from the user
> > > group
> > >
> > > but there is something that's not working, I've made two tests
> > > (user
> > > in
> > > User group and deleted from User group) and in both cases the
> > > user
> > > is
> > > able to send email from his client (I attach the output of some
> > > ipa
> > > commands)
> > >
> > > Beside, I've tried to add a HBAC service "smtp" (even if I
do
> > > not
> > > understand its real use, if its a "only" a tag) and a HBAC
> > > Service
> > > group but nothing has changed. At the moment I don't realize
> > > where
> > > I'm
> > > wrong even looking at some log files,
> > >
> > > thank you
> > > cheers
> > > Stefano
> > >
> > >
> > >
> > > ### 1 user-test in User Group
> > > ipa hbacrule-show smtp
> > > Rule name: smtp
> > > Service category: all
> > > Description: Regola di accesso ai server smtp
> > > Enabled: TRUE
> > > User Groups: smtp
> > > Host Groups: smtp
> > >
> > > ipa user-show user-test
> > > Member of groups: smtp
> > > Indirect Member of HBAC rule: smtp
> > >
> > > ipa hbactest --user=user-test --host=host.domain --service=all
> > > --------------------
> > > Access granted: True
> > > --------------------
> > > Matched rules: smtp-cnaf
> > >
> > > ### 2 user-test deleted from User Group
> > >
> > > ipa hbactest --user=user-test --host=host.domain --service=all
> > > ---------------------
> > > Access granted: False
> > > ---------------------
> > > Not matched rules: smtp-cnaf
> >
> > HBAC services are PAM services. If the
> > authentication/authorization/session is going through PAM then
> > this
> > can
> > work. I have some vague memory of saslauthd and postfix using
> > PAM.
> >
> > rob
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
>
https://pagure.io/fedora-infrastructure