<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Carlito">Hi all,<br>
<br>
sss_debuglevel 6; in /var/log/sss/sssd_pam.log<br>
<br>
<br>
Running as "testuser" crond is denied; perfecr since it is not
listed in the HBAC services.<br>
<br>
[testuser@fedora23-server ~]$ crontab -l<br>
You (testuser) are not allowed to access to (crontab) because of
pam configuration.<br>
<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [accept_fd_handler]
(0x0400): Client connected!<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [sss_cmd_get_version]
(0x0200): Received client version [3].<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [sss_cmd_get_version]
(0x0200): Offered version [3].<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_cmd_acct_mgmt]
(0x0100): entering pam_cmd_acct_mgmt<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]]
[sss_parse_name_for_domains] (0x0200): name 'testuser' matched
without domain, user is testuser<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
command: SSS_PAM_ACCT_MGMT<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
domain: not set<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
user: testuser<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
service: crond<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
tty: cron<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
ruser: not set<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
rhost: not set<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
authtok type: 0<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
priv: 0<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
cli_pid: 1910<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
logon name: testuser<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [sss_dp_issue_request]
(0x0400): Issuing request for
[<a class="moz-txt-link-abbreviated" href="mailto:0x561eb0a4b2e0:3:testuser@blabla.bla">0x561eb0a4b2e0:3:testuser@blabla.bla</a>]<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [sss_dp_get_account_msg]
(0x0400): Creating request for
[blabla.bla][0x3][BE_REQ_INITGROUPS][1][name=testuser]<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [sss_dp_internal_get_send]
(0x0400): Entering request [<a class="moz-txt-link-abbreviated" href="mailto:0x561eb0a4b2e0:3:testuser@blabla.bla">0x561eb0a4b2e0:3:testuser@blabla.bla</a>]<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_check_user_search]
(0x0100): Requesting info for [<a class="moz-txt-link-abbreviated" href="mailto:testuser@blabla.bla">testuser@blabla.bla</a>]<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_check_user_search]
(0x0400): Returning info for user [<a class="moz-txt-link-abbreviated" href="mailto:testuser@blabla.bla">testuser@blabla.bla</a>]<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_dp_send_req] (0x0100):
Sending request with the following data:<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
command: SSS_PAM_ACCT_MGMT<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
domain: blabla.bla<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
user: testuser<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
service: crond<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
tty: cron<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
ruser: not set<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
rhost: not set<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
authtok type: 0<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
priv: 0<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
cli_pid: 1910<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100):
logon name: testuser<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_dom_forwarder]
(0x0100): pam_dp_send_req returned 0<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [sss_dp_req_destructor]
(0x0400): Deleting request: [<a class="moz-txt-link-abbreviated" href="mailto:0x561eb0a4b2e0:3:testuser@blabla.bla">0x561eb0a4b2e0:3:testuser@blabla.bla</a>]<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_dp_process_reply]
(0x0200): received: [6 (Permission denied)][blabla.bla]<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_reply] (0x0200):
pam_reply called with result [6]: Permission denied.<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_reply] (0x0200): blen:
27<br>
(Tue Nov 24 09:54:58 2015) [sssd[pam]] [client_recv] (0x0200):
Client disconnected!<br>
<br>
Now, using su or su - does not show anything in de sssd logs, it
looks like the su service is not using sssd. What could be wrong?<br>
<br>
forgot to mention; allow_all is disabled, checked that 100
times...<br>
<br>
Kind regards,<br>
<br>
Winny<br>
<br>
<br>
</font><br>
<div class="moz-cite-prefix">Op 23-11-15 om 17:16 schreef Jakub
Hrozek:<br>
</div>
<blockquote cite="mid:20151123161626.GR12432@hendrix" type="cite">
<pre wrap="">On Mon, Nov 23, 2015 at 04:55:31PM +0100, Winfried de Heiden wrote:
</pre>
<blockquote type="cite">
<pre wrap=""> Hi all,
I created some hbac rule on freeipa-server 4.1.4 on Fedora 22
# ipa hbacrule-show testuser
Rule name: testuser
Enabled: TRUE
Users: testuser
Hosts: fedora23-server.blabla.bla
Services: sshd
Hence, " testuser" is only allowed using sshd on "fedora23-server". No
surprise, this user is not allowed to use "su":
# ipa hbactest --user testuser --host fedora23-server.blabla.bla --service
su
---------------------
Access granted: False
(and yeah sshd is allowed)
However, doing a "su" on the fedora23-server.blabla.bla, and giving the
correct password, access is granted. This user is not a member of any
other groups.
HBAC Services like cron or console access are denied correctly since they
are not in the HBAC service list.
I noticed this behaviour also on IPA 4.1 (The Red Hat one) and several
other ipa-clients (RHEL/CentoOS 6.x, 7.x)
Shouldn't su or su -l be denied when not listed?
</pre>
</blockquote>
<pre wrap="">
Yes, and in my testing with a similar rule:
$ ipa hbacrule-show allow_sshd
Rule name: allow_sshd
Enabled: TRUE
Users: admin
Hosts: client.ipa.test
Services: sshd
admin can ssh to client.ipa.test but it's not possible to su to admin.
Please follow <a class="moz-txt-link-freetext" href="https://fedorahosted.org/sssd/wiki/Troubleshooting">https://fedorahosted.org/sssd/wiki/Troubleshooting</a> and check
/var/log/secure and the sssd logs.
Also, you're not calling su as root, are you?
</pre>
</blockquote>
<br>
</body>
</html>