<div dir="ltr">OK. But the answer granted/declined comes from IPA. So why IPA doesn't check its own HBAC rules at all?<div>Maybe the line 'account required pam_sss.so' isn't necessary/required. I just want to do authentication by IPA HBAC rules.</div><div> </div><div>Thanks,</div><div>Bartek.</div></div><div class="gmail_extra"> <div class="gmail_quote">2015-05-11 17:22 GMT+02:00 Sumit Bose <<a href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Mon, May 11, 2015 at 05:15:31PM +0200, Sumit Bose wrote: > On Mon, May 11, 2015 at 04:47:01PM +0200, Lukas Slebodnik wrote: > > On (11/05/15 14:57), Vangass wrote: > > >Hi, > > > > > >I try to access Cisco switch via ssh. Cisco has tacacs login configured. > > > > > ># tail /var/log/secure > > >May 11 14:18:46 freeipa tac_plus[29096]: pam_sss(tac_plus:auth): > > >authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost= > > >user=bartosz > > >May 11 14:18:53 freeipa tac_plus[29096]: pam_sss(tac_plus:auth): > > >authentication success; logname=bartosz uid=0 euid=0 tty= ruser= rhost= > > >user=test > > > > > >User bartosz is added in HBAC rule as Specified Users and Groups. > > >User test exist in FreeIPA but isn't in HBAC rule and shouldn't be > > >autheniticated. > > > > > ># cat /etc/sssd/sssd.conf > > >[domain/<a href="http://test.example.com" target="_blank">test.example.com</a>] > > >debug_level = 6 > > >cache_credentials = True > > >krb5_store_password_if_offline = True > > >ipa_domain = <a href="http://test.example.com" target="_blank">test.example.com</a> > > >id_provider = ipa > > >auth_provider = ipa > > >access_provider = ipa > > >ipa_hostname = <a href="http://freeipa.test.example.com" target="_blank">freeipa.test.example.com</a> > > >chpass_provider = ipa > > >ipa_server = <a href="http://freeipa.test.example.com" target="_blank">freeipa.test.example.com</a> > > >ipa_server_mode = True > > >ldap_tls_cacert = /etc/ipa/ca.crt > > > > > >[sssd] > > >services = nss, sudo, pam, ssh > > >config_file_version = 2 > > >domains = <a href="http://test.example.com" target="_blank">test.example.com</a> > > > > > >[nss] > > >homedir_substring = /home > > > > > >[pam] > > >debug_level = 6 > > >domains = <a href="http://test.example.com" target="_blank">test.example.com</a> > > > > > >[sudo] > > > > > >[autofs] > > > > > >[ssh] > > > > > >[pac] > > > > > >[ifp] > > > > > > > > >#cat /var/log/sssd/sssd_pam.log > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [accept_fd_handler] (0x0400): Client > > >connected to privileged pipe! > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): > > >Received client version [3]. > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): > > >Offered version [3]. > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_cmd_authenticate] (0x0100): > > >entering pam_cmd_authenticate > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_parse_name_for_domains] > > >(0x0200): name 'test' matched without domain, user is test > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): command: > > >PAM_AUTHENTICATE > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: > > >not set > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): service: > > >tac_plus > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not > > >set > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: > > >not set > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: > > >not set > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok > > >type: 1 > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): > > >newauthtok type: 0 > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > > >29218 > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): logon > > >name: test > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400): > > >Issuing request for [<a href="mailto:0x7f4f20215ed0%3A3%3Atest@test.example.com">0x7f4f20215ed0:3:test@test.example.com</a>] > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): > > >Creating request for [<a href="http://test.example.com" target="_blank">test.example.com</a>][3][1][name=test] > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): > > >Entering request [<a href="mailto:0x7f4f20215ed0%3A3%3Atest@test.example.com">0x7f4f20215ed0:3:test@test.example.com</a>] > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search] (0x0100): > > >Requesting info for [<a href="mailto:test@test.example.com">test@test.example.com</a>] > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_check_user_search] (0x0400): > > >Returning info for user [<a href="mailto:test@test.example.com">test@test.example.com</a>] > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending > > >request with the following data: > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): command: > > >PAM_AUTHENTICATE > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: > > ><a href="http://test.example.com" target="_blank">test.example.com</a> > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): service: > > >tac_plus > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: not > > >set > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: > > >not set > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: > > >not set > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok > > >type: 1 > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): > > >newauthtok type: 0 > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > > >29218 > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_print_data] (0x0100): logon > > >name: test > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): > > >pam_dp_send_req returned 0 > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): > > >Deleting request: [<a href="mailto:0x7f4f20215ed0%3A3%3Atest@test.example.com">0x7f4f20215ed0:3:test@test.example.com</a>] > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): > > >received: [0][<a href="http://test.example.com" target="_blank">test.example.com</a>] > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply > > >called with result [0]. > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply > > >called with result [0]. > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [pam_reply] (0x0200): blen: 81 > > >(Mon May 11 14:40:28 2015) [sssd[pam]] [client_recv] (0x0200): Client > > >disconnected! > > > > > ># cat /var/log/sssd/sssd_test.example.com.log > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[be_get_account_info] (0x0200): Got request for [0x3][1][name=test] > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [be_req_set_domain] > > >(0x0400): Changing request domain from [<a href="http://test.example.com" target="_blank">test.example.com</a>] to [ > > ><a href="http://test.example.com" target="_blank">test.example.com</a>] > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > >domain SID from [(null)] > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > >domain SID from [(null)] > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_get_initgr_next_base] (0x0400): Searching for users with base > > >[cn=accounts,dc=test,dc=example,dc=com] > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > >[(&(uid=test)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=test,dc=example,dc=com]. > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > >errmsg set > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [sdap_save_user] > > >(0x0400): Save user > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_get_primary_name] (0x0400): Processing object test > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [sdap_save_user] > > >(0x0400): Processing user test > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > >domain SID from [(null)] > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [sdap_save_user] > > >(0x0400): Adding original memberOf attributes to [test]. > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [sdap_save_user] > > >(0x0400): Adding user principal [<a href="mailto:test@TEST.EXAMPLE.COM">test@TEST.EXAMPLE.COM</a>] to attributes of > > >[test]. > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [sdap_save_user] > > >(0x0400): Storing info for user test > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_get_primary_name] (0x0400): Processing object test > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > >[(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=test,dc=example,dc=com]. > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > >errmsg set > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_get_primary_name] (0x0400): Processing object ipausers > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > >domain SID from [(null)] > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_get_groups_next_base] (0x0400): Searching for groups with base > > >[cn=accounts,dc=test,dc=example,dc=com] > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > >[(&(gidNumber=<a href="tel:732000003" value="+48732000003">732000003</a>)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=test,dc=example,dc=com]. > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no > > >errmsg set > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > >domain SID from [(null)] > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_nested_group_recv] (0x0400): 0 users found in the hash table > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_nested_group_recv] (0x0400): 1 groups found in the hash table > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_get_primary_name] (0x0400): Processing object test > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [sdap_save_group] > > >(0x0400): Processing group test > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse > > >domain SID from [(null)] > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_process_ghost_members] (0x0400): The group has 0 members > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_process_ghost_members] (0x0400): Group has 0 members > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [sdap_save_group] > > >(0x0400): Storing info for group test > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_get_primary_name] (0x0400): Processing object test > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [sdap_save_grpmem] > > >(0x0400): Processing group test > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [sdap_save_grpmem] > > >(0x0400): Failed to get group sid > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [sdap_save_grpmem] > > >(0x0400): No members for group [test] > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > > >[(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:test.example.com:b8e22526-f4c0-11e4-8865-005056a8f368))][cn=Default > > >Trust View,cn=views,cn=accounts,dc=test,dc=example,dc=com]. > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[sdap_get_generic_op_finished] (0x0400): Search result: No such object(32), > > >no errmsg set > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [acctinfo_callback] > > >(0x0100): Request processed. Returned 0,0,Success > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [be_req_set_domain] > > >(0x0400): Changing request domain from [<a href="http://test.example.com" target="_blank">test.example.com</a>] to [ > > ><a href="http://test.example.com" target="_blank">test.example.com</a>] > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [be_pam_handler] > > >(0x0100): Got request with the following data > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [pam_print_data] > > >(0x0100): command: PAM_AUTHENTICATE > > Here just authentication was performed. > > It coresponds to the line "auth required pam_sss.so" in your pam stack. > > > > > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [pam_print_data] > > >(0x0100): domain: <a href="http://test.example.com" target="_blank">test.example.com</a> > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [pam_print_data] > > >(0x0100): user: test > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [pam_print_data] > > >(0x0100): service: tac_plus > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [pam_print_data] > > >(0x0100): tty: > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [pam_print_data] > > >(0x0100): ruser: > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [pam_print_data] > > >(0x0100): rhost: > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [pam_print_data] > > >(0x0100): authtok type: 1 > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [pam_print_data] > > >(0x0100): newauthtok type: 0 > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [pam_print_data] > > >(0x0100): priv: 1 > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [pam_print_data] > > >(0x0100): cli_pid: 29218 > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [pam_print_data] > > >(0x0100): logon name: not set > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[be_resolve_server_process] (0x0200): Found address for server > > ><a href="http://freeipa.test.example.com" target="_blank">freeipa.test.example.com</a>: [172.21.0.20] TTL 7200 > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[write_pipe_handler] (0x0400): All data has been sent! > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [child_sig_handler] > > >(0x0100): child [29226] finished successfully. > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] [read_pipe_handler] > > >(0x0400): EOF received, client finished > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[fo_set_port_status] (0x0100): Marking port 0 of server ' > > ><a href="http://freeipa.test.example.com" target="_blank">freeipa.test.example.com</a>' as 'working' > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[set_server_common_status] (0x0100): Marking server ' > > ><a href="http://freeipa.test.example.com" target="_blank">freeipa.test.example.com</a>' as 'working' > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[fo_set_port_status] (0x0400): Marking port 0 of duplicate server ' > > ><a href="http://freeipa.test.example.com" target="_blank">freeipa.test.example.com</a>' as 'working' > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) > > >[Success] > > ^^^^^^^^ > > Result of authentication is "Success" which means that password is correct. > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[be_pam_handler_callback] (0x0100): Sending result [0][<a href="http://test.example.com" target="_blank">test.example.com</a>] > > >(Mon May 11 14:40:28 2015) [sssd[be[<a href="http://test.example.com" target="_blank">test.example.com</a>]]] > > >[be_pam_handler_callback] (0x0100): Sent result [0][<a href="http://test.example.com" target="_blank">test.example.com</a>] > > > > > > > I could not see authorisation phase; neither in sssd_pam log nor in > > sssd_$domain.log. > > > > It means that you either shared just part of log file or that > > your application did not reach/try line "account" in pam stack > > "account required pam_sss.so" > > In this case you would able to see PAM_ACCT_MGMT in log files. > > > > sssd seems to work as expected. > > I found the following on > <a href="http://www.shrubbery.net/tac_plus/PAM_guide.txt" target="_blank">http://www.shrubbery.net/tac_plus/PAM_guide.txt</a>: > > "Currently, tac_plus only allows authentication using pam (since pam is > only used for authentication anyway). Authorizations are still > configured within the conf file, no ldap groups allowed :(" > > So it is not expected that tac_plus does only authentication and not > access control via PAM. </div></div>I just checked the sources in tacacs-F4.0.4.28.tar.gz, only pam_authenticate is called and not pam_acct_mgmt. bye, Sumit <div class="HOEnZb"><div class="h5">> > HTH > > bye, > Sumit > > > > > LS > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > > Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project -- Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project </div></div></blockquote></div> </div>