Hi Rob,
HBAC services are PAM services. If the
authentication/authorization/session is going through PAM then this
can work. I have some vague memory of saslauthd and postfix using
PAM.
thank you for your reply which recalls something I read about HBAC/PAM
and makes me discover a new chain of authentication (and I hoped I was
wrong and it was only my mistake in the configuration but...)
I've tried to modify my auth chain in:
Postfix (1) -> saslauth (2) -> PAM (pam_krb5)
1) Postfix: smtpd_sasl_type = cyrus
2) saslauth:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
3) pam_krb5 (just to start, it's the first time I configure pam_krb5)
auth required /usr/lib64/security/pam_krb5.so
session optional /usr/lib64/security/pam_krb5.so
account sufficient /usr/lib64/security/pam_krb5.so
password sufficient /usr/lib64/security/pam_krb5.so
4) krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MY.REALM
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = MY.REALM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
MY.REALM = {
kdc = myipa.realm
kdc = myipa-01.realm
kdc = myipa-02.realm
admin_server = myipa.realm
}
[domain_realm]
.MYREALM = MYREALM
MYREALM = MYREALM
It works for authentication via FreeIPA but, at the moment, HBAC roles
are still not working.
Is this type of "Postfix, SASL, PAM" authentication that you meant?
thank you
cheers
Stefano
Il 2022-02-16 14:47 Rob Crittenden ha scritto:
stefano.antonelli@cnaf via FreeIPA-users wrote:
> Dear FreeIPA users
>
> I have a three nodes installation (version 4.6.8, CentOS 7.9.2009)
> and
> I'm trying to manage users and hosts in order to allow them to send
> emails; I've retrieved host keytab from ipa servers and configured
> host
> krb5.conf to ipa servers;
>
> I've a test user on FreeIPA (or, in future, User groups) and an
> smtp
> server (postfix; or in future Host groups) and a smtp service
> smtp/hostname@REALM
>
> I'd like to configure an HBAC rule in order to:
>
> 1) allow the group of user to send email via the smtp server
> 2) ban the user to send email removing him/her from the user group
>
> but there is something that's not working, I've made two tests
> (user
> in
> User group and deleted from User group) and in both cases the user
> is
> able to send email from his client (I attach the output of some ipa
> commands)
>
> Beside, I've tried to add a HBAC service "smtp" (even if I do not
> understand its real use, if its a "only" a tag) and a HBAC Service
> group but nothing has changed. At the moment I don't realize where
> I'm
> wrong even looking at some log files,
>
> thank you
> cheers
> Stefano
>
>
>
> ### 1 user-test in User Group
> ipa hbacrule-show smtp
> Rule name: smtp
> Service category: all
> Description: Regola di accesso ai server smtp
> Enabled: TRUE
> User Groups: smtp
> Host Groups: smtp
>
> ipa user-show user-test
> Member of groups: smtp
> Indirect Member of HBAC rule: smtp
>
> ipa hbactest --user=user-test --host=host.domain --service=all
> --------------------
> Access granted: True
> --------------------
> Matched rules: smtp-cnaf
>
> ### 2 user-test deleted from User Group
>
> ipa hbactest --user=user-test --host=host.domain --service=all
> ---------------------
> Access granted: False
> ---------------------
> Not matched rules: smtp-cnaf
HBAC services are PAM services. If the
authentication/authorization/session is going through PAM then this
can
work. I have some vague memory of saslauthd and postfix using PAM.
rob