Dear FreeIPA users
I have a three nodes installation (version 4.6.8, CentOS 7.9.2009) and
I'm trying to manage users and hosts in order to allow them to send
emails; I've retrieved host keytab from ipa servers and configured host
krb5.conf to ipa servers;
I've a test user on FreeIPA (or, in future, User groups) and an smtp
server (postfix; or in future Host groups) and a smtp service
smtp/hostname@REALM
I'd like to configure an HBAC rule in order to:
1) allow the group of user to send email via the smtp server
2) ban the user to send email removing him/her from the user group
but there is something that's not working, I've made two tests (user in
User group and deleted from User group) and in both cases the user is
able to send email from his client (I attach the output of some ipa
commands)
Beside, I've tried to add a HBAC service "smtp" (even if I do not
understand its real use, if its a "only" a tag) and a HBAC Service
group but nothing has changed. At the moment I don't realize where I'm
wrong even looking at some log files,
thank you
cheers
Stefano
### 1 user-test in User Group
ipa hbacrule-show smtp
Rule name: smtp
Service category: all
Description: Regola di accesso ai server smtp
Enabled: TRUE
User Groups: smtp
Host Groups: smtp
ipa user-show user-test
Member of groups: smtp
Indirect Member of HBAC rule: smtp
ipa hbactest --user=user-test --host=host.domain --service=all
--------------------
Access granted: True
--------------------
Matched rules: smtp-cnaf
### 2 user-test deleted from User Group
ipa hbactest --user=user-test --host=host.domain --service=all
---------------------
Access granted: False
---------------------
Not matched rules: smtp-cnaf