[Freeipa-users] sssd receives another uid/gid after disabled HBAC rule

Sumit Bose sbose at redhat.com
Mon Sep 8 07:17:51 UTC 2014 

On Sun, Sep 07, 2014 at 11:41:16PM +0200, Gregor Bregenzer wrote:
> Hi!
> 
> I have an AD trust with FreeIPA 4.0.1 and defined a HBAC rule for a
> specific user group (=ad_users which is an posix group that has an
> external group as member) to login on a specific client
> (=linux1.linux.intern).
> 
> The problem is: once i disable the rule and the AD user is not allowed
> to login anymore, the user on the client gets another uid and gid via
> sssd.
> 
> I use the posix attributes from AD, which will get received by sssd perfectly.
> The client is running on CentOS 6.5 and uses sssd 1.9.2.129.el6_5.4
> AD domain = aaa.intern
> IPA domain = linux.intern
> AD-User: user1   (uid=1005,gid=10005)
> 
> Here an example:
> ----------------------------
> 1.) disable the hbac rule and the default allow_all rule:
> 2.) check the uid/gid on the client (=linux1.linux.intern) and it looks fine:
> 
> [root at linux1 sssd]# getent passwd user1 at aaa
> user1 at aaa.intern:*:10005:10005::/home/user1 at aaa.intern:/bin/bash
> 
> 3.) Login with ssh to client as user1. It will be denied upon correct
> password input and ssh sessions closes. Up until now everything as
> expected. But now:
> 
> 4.) check for the uid/gid on the client - something totally different.
> It now also receives the Firstname and Lastname from AD, latter is
> empty:
> 
> [root at linux1 sssd]# getent passwd user1 at aaa
> user1 at aaa.intern:*:11601:11601:user1:/home/user1 at aaa.intern:/bin/bash
> 
> 5.) Enable the hbac rule and login works, but the unexpected uid/gid
> stays the same:
> 
> login as: user1 at aaa
> user1 at aaa@192.168.0.100's password:
> login as: user1 at aaa
> user1 at aaa@192.168.0.100's password:
> Last failed login: Sun Sep  7 23:19:49 CEST 2014 from 192.168.0.26 on ssh:notty
> There were 2 failed login attempts since the last successful login.
> Creating home directory for user1 at aaa.
> Last login: Sun Sep  7 23:21:02 2014 from 192.168.0.26
> [user1 at aaa.intern@linux1 ~]$ id
> uid=11601(user1 at aaa.intern) gid=11601(user1 at aaa.intern)
> Gruppen=11601(user1 at aaa.intern),1933000004(ad_users)
> [user1 at aaa.intern@linux1 ~]$
> ---------------------------------
> 
> Anyone have a clue what might be the problem?

I would expect some kind of collision, but to be sure I need the SSSD
log files. Please try to reproduce the switch and send me the log file,
if possilbe with debug_level=9.

bye,
Sumit

> 
> Here's the sssd.conf:
> [root at linux1 sssd]# cat /etc/sssd/sssd.conf
> [domain/linux.intern]
> debug_level=6
> cache_credentials = False
> krb5_store_password_if_offline = False
> ipa_domain = linux.intern
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = linux1.linux.intern
> chpass_provider = ipa
> ipa_dyndns_update = True
> ipa_server = _srv_, ipa1.linux.intern
> ldap_tls_cacert = /etc/ipa/ca.crt
> use_fully_qualified_domains = True
> # For the SUDO integration
> sudo_provider = ldap
> ldap_uri = ldap://ipa1.linux.intern
> ldap_sudo_search_base = ou=sudoers,dc=linux,dc=intern
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/linux1.linux.intern
> ldap_sasl_realm = LINUX.INTERN
> krb5_server = ipa1.linux.intern
> entry_cache_sudo_timeout = 30
> [sssd]
> debug_level=6
> services = nss, pam, ssh, sudo
> config_file_version = 2
> default_domain_suffix=aaa.intern
> domains = linux.intern
> [nss]
> debug_level=9
> override_homedir = /home/%u
> override_shell = /bin/bash
> [pam]
> debug_level=6
> [sudo]
> debug_level=6
> [autofs]
> 
> [ssh]
> debug_level=6
> [pac]
> 
> 
> 
> Thanks!
> Gregor
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list