Hi,
sorry ignore this email...sent by mistake
cheers
stefano
Il 2022-02-17 12:26 stefano.antonelli@cnaf via FreeIPA-users ha scritto:
> Hi Rob,
>
> thank you for your reply which recalls something I read (I hoped it
> was only my mistake...)
>
>> HBAC services are PAM services. If the
>> authentication/authorization/session is going through PAM then this
>> can
>> work. I have some vague memory of saslauthd and postfix using PAM.
>
> I've tried to modify my auth chain in:
>
> Postfix (1) -> saslauth (2) -> PAM (pam_krb5)
>
> 1) Postfix: smtpd_sasl_type = cyrus
> 2) saslauth:
> pwcheck_method: saslauthd
> mech_list: PLAIN LOGIN
>
> Il 2022-02-16 14:47 Rob Crittenden ha scritto:
>> stefano.antonelli@cnaf via FreeIPA-users wrote:
>>> Dear FreeIPA users
>>>
>>> I have a three nodes installation (version 4.6.8, CentOS 7.9.2009)
>>> and
>>> I'm trying to manage users and hosts in order to allow them to send
>>> emails; I've retrieved host keytab from ipa servers and configured
>>> host
>>> krb5.conf to ipa servers;
>>>
>>> I've a test user on FreeIPA (or, in future, User groups) and an smtp
>>> server (postfix; or in future Host groups) and a smtp service
>>> smtp/hostname@REALM
>>>
>>> I'd like to configure an HBAC rule in order to:
>>>
>>> 1) allow the group of user to send email via the smtp server
>>> 2) ban the user to send email removing him/her from the user group
>>>
>>> but there is something that's not working, I've made two tests (user
>>> in
>>> User group and deleted from User group) and in both cases the user is
>>> able to send email from his client (I attach the output of some ipa
>>> commands)
>>>
>>> Beside, I've tried to add a HBAC service "smtp" (even if I do
not
>>> understand its real use, if its a "only" a tag) and a HBAC
Service
>>> group but nothing has changed. At the moment I don't realize where
>>> I'm
>>> wrong even looking at some log files,
>>>
>>> thank you
>>> cheers
>>> Stefano
>>>
>>>
>>>
>>> ### 1 user-test in User Group
>>> ipa hbacrule-show smtp
>>> Rule name: smtp
>>> Service category: all
>>> Description: Regola di accesso ai server smtp
>>> Enabled: TRUE
>>> User Groups: smtp
>>> Host Groups: smtp
>>>
>>> ipa user-show user-test
>>> Member of groups: smtp
>>> Indirect Member of HBAC rule: smtp
>>>
>>> ipa hbactest --user=user-test --host=host.domain --service=all
>>> --------------------
>>> Access granted: True
>>> --------------------
>>> Matched rules: smtp-cnaf
>>>
>>> ### 2 user-test deleted from User Group
>>>
>>> ipa hbactest --user=user-test --host=host.domain --service=all
>>> ---------------------
>>> Access granted: False
>>> ---------------------
>>> Not matched rules: smtp-cnaf
>>
>> HBAC services are PAM services. If the
>> authentication/authorization/session is going through PAM then this
>> can
>> work. I have some vague memory of saslauthd and postfix using PAM.
>>
>> rob
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
>
https://pagure.io/fedora-infrastructure