<div dir="ltr"><div><div>Ok, I have some logs of sssd 1.13.0 not working. Same values as before:<br><br>FreeIPA server: Centos 7, ipa 4.2, API_VERSION 2.156<br><br>Installed Packages<br>Name : ipa-server<br>Arch : x86_64<br>Version : 4.2.0<br>Release : 15.0.1.el7.centos.17<br>Size : 5.0 M<br>Repo : installed<br>From repo : updates<br>Summary : The IPA authentication server<br><br><br>Successfully joined in one way trust to AD. <br><br>Successfully have added hosts (Centos 7, sssd 1.13.0).<br><br><br>[root@vmpr-linuxidm ~]# ipa hbacrule-find<br>--------------------<br>5 HBAC rules matched<br>--------------------<br> <br> Rule name: allow_all<br> User category: all<br> Host category: all<br> Service category: all<br> Description: Allow all users to access any host from any host<br> Enabled: FALSE<br><br>... <br><br> Rule name: ssh to galaxy<br> Service category: all<br> Description: Allows ssh to galaxy server<br> Enabled: TRUE<br> User Groups: ad_users<br> Hosts: <a href="http://papr-res-galaxy.unix.petermac.org.au">papr-res-galaxy.unix.petermac.org.au</a><br><br><br><br><br>With allow_all HBAC rule enabled, can login every time with <br><br>ssh user@ad_domain@unix_host<br><br>If I implement a HBAC rule "ssh to galaxy" as per above, with:<br><br>ad_users is a POSIX group with a GID. It has one member, the group<br><br>ad_external an external group with a single, external, member<br><br><a href="mailto:pmc-res-ipausers@petermac.org.au">pmc-res-ipausers@petermac.org.au</a><br><br>which is an AD group containing all the users that should have access to the host.<br><br><br>With allow_all disabled and "ssh to galaxy" enabled, some users can login and some can't. There is no discernable pattern that might explain why some are discriminated against. <br><br>Here is the test from the server:<br><br>[root@vmpr-linuxidm ~]# ipa hbactest --user=<a href="mailto:sandsjordan@petermac.org.au">sandsjordan@petermac.org.au</a> --host=<a href="http://papr-res-galaxy.unix.petermac.org.au">papr-res-galaxy.unix.petermac.org.au</a> --service=sshd<br>--------------------<br>Access granted: True<br>--------------------<br> Matched rules: ssh to galaxy<br> Not matched rules: Computing Cluster<br> Not matched rules: FACS Computing<br><br>I've installed ipa-admintools on the host in question and got the same result.<br><br>To be on the safe side/tick all boxes, I have cleared the cache on the host in question:<br><br>systemctl stop sssd<br>sss_cache -E<br>systemctl start sssd<br><br>and confirmed success with a status check.<br><br>When the user tries to login, it fails. <br><br>Log is here:<br><br><a href="http://dpaste.com/0VAFNPH">http://dpaste.com/0VAFNPH</a><br><br><br>The top is where the negotiating starts to the best of my knowledge.<br><br>The attempts fails, with no information that is useful to me:<br><br>230 (Thu Jul 14 10:40:59 2016) [sssd[be[<a href="http://unix.petermac.org.au">unix.petermac.org.au</a>]]] [hbac_get_category] (0x0200): Category is set to 'all'.<br>231 (Thu Jul 14 10:40:59 2016) [sssd[be[<a href="http://unix.petermac.org.au">unix.petermac.org.au</a>]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [ssh to galaxy]<br>232 (Thu Jul 14 10:40:59 2016) [sssd[be[<a href="http://unix.petermac.org.au">unix.petermac.org.au</a>]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [ssh to galaxy]<br>233 (Thu Jul 14 10:40:59 2016) [sssd[be[<a href="http://unix.petermac.org.au">unix.petermac.org.au</a>]]] [hbac_eval_user_element] (0x1000): [3] groups for [<a href="mailto:SandsJordan@petermac.org.au">SandsJordan@petermac.org.au</a>]<br>234 (Thu Jul 14 10:40:59 2016) [sssd[be[<a href="http://unix.petermac.org.au">unix.petermac.org.au</a>]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules<br>235 (Thu Jul 14 10:40:59 2016) [sssd[be[<a href="http://unix.petermac.org.au">unix.petermac.org.au</a>]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success (Permission denied)]<br>236 (Thu Jul 14 10:40:59 2016) [sssd[be[<a href="http://unix.petermac.org.au">unix.petermac.org.au</a>]]] [be_pam_handler_callback] (0x0100): Sending result [6][<a href="http://petermac.org.au">petermac.org.au</a>]<br>237 (Thu Jul 14 10:40:59 2016) [sssd[be[<a href="http://unix.petermac.org.au">unix.petermac.org.au</a>]]] [be_pam_handler_callback] (0x0100): Sent result [6][<a href="http://petermac.org.au">petermac.org.au</a>]<br><br><br></div>Cheers<br></div>L.<br><div><div><div><div><br></div></div></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>------<br>The most dangerous phrase in the language is, "We've always done it this way."<br><br>- Grace Hopper<br></div></div></div></div> <br><div class="gmail_quote">On 12 July 2016 at 09:08, Lachlan Musicman <span dir="ltr"><<a href="mailto:datakid@gmail.com" target="_blank">datakid@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div>Alex, Sumit,<br><br></div>Which log levels would you recommend for sssd to help debug this issue?<br><br></div>We've been using 7, but I just realised that it's not an increasing scale but bitmasked...<br><br></div>cheers<span class="HOEnZb"><font color="#888888"><br></font></span></div><span class="HOEnZb"><font color="#888888">L.<br></font></span></div><div class="gmail_extra"><span class=""><br clear="all"><div><div data-smartmail="gmail_signature"><div dir="ltr"><div>------<br>The most dangerous phrase in the language is, "We've always done it this way."<br><br>- Grace Hopper<br></div></div></div></div> <br></span><div><div class="h5"><div class="gmail_quote">On 11 July 2016 at 17:15, Sumit Bose <span dir="ltr"><<a href="mailto:sbose@redhat.com" target="_blank">sbose@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On Mon, Jul 11, 2016 at 04:55:37PM +1000, Lachlan Musicman wrote:<br> > On 11 July 2016 at 16:44, Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>> wrote:<br> ><br> > > On Mon, 11 Jul 2016, Lachlan Musicman wrote:<br> > ><br> > >> Hola,<br> > >><br> > >> Centos 7, up to date.<br> > >><br> > >> [root@linuxidm ~]# ipa --version<br> > >> VERSION: 4.2.0, API_VERSION: 2.156<br> > >><br> > >> One way trust is successfully established, can login with<br> > >><br> > >> ssh username@domain1.com@<a href="http://server1.domain2.com" rel="noreferrer" target="_blank">server1.domain2.com</a><br> > >><br> > >> Am testing to get HBAC to work.<br> > >><br> > >> I've noticed that with the Allow All rule in effect, the following set up<br> > >> is sufficient:<br> > >><br> > >> add external group "ad_external"<br> > >> add internal group, "ad_internal", add ad_external as a group member of<br> > >> ad_internal<br> > >><br> > >> AD users can now successfully login to any server.<br> > >><br> > >> When I tried to set up an HBAC, I couldn't get that set up to work, I<br> > >> needed to complete the extra step of adding AD users explicitly to the<br> > >> "external member" group of the external group.<br> <br> </span>yes, this is expected you either have to add AD users or groups to the<br> external groups.<br> <span><br> > >><br> > >> I also note that this seems to be explicitly user based, not group based?<br> > >> IE, I can add <a href="mailto:lachlan@domain1.com" target="_blank">lachlan@domain1.com</a> to the external members of ad_external<br> > >> and that works, but adding the group <a href="mailto:server_admins@domain1.com" target="_blank">server_admins@domain1.com</a> (as seen<br> > >> in<br> > >> `id <a href="mailto:lachlan@domain1.com" target="_blank">lachlan@domain1.com</a>`) doesn't allow all members access.<br> <br> </span>Since it looks you are using FreeIPA 4.2 you might hit<br> <a href="https://fedorahosted.org/freeipa/ticket/5573" rel="noreferrer" target="_blank">https://fedorahosted.org/freeipa/ticket/5573</a> . But SSSD logs, especially<br> the part where the HBAC rules are evaluated would help to understand the<br> issue better.<br> <span><br> > >><br> > >> Does that sound correct?<br> > >><br> > > No, it does not.<br> > > HBAC evaluation and external group merging/resolution is done by SSSD.<br> > > Use <a href="https://fedorahosted.org/sssd/wiki/Troubleshooting" rel="noreferrer" target="_blank">https://fedorahosted.org/sssd/wiki/Troubleshooting</a> to produce logs<br> > > that can help understanding what happens there.<br> > ><br> > > What SSSD version do you have on both IPA client and IPA server?<br> ><br> ><br> ><br> > 1.13.0 on both client and server.<br> ><br> > To be honest, we have ratcheted up the logs and it doesn't help that much.<br> > We just got lots of "unsupported PAM command [249]"<br> <br> </span>This is unrelated, I assume this happens when trying to store the hashed<br> password to the cache. This message is remove in newer releases.<br> <br> bye,<br> Sumit<br> <br> ><br> > Cheers<br> > L.<br> <span><font color="#888888"><br> > --<br> > Manage your subscription for the Freeipa-users mailing list:<br> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> > Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br> <br> </font></span></blockquote></div><br></div></div></div> </blockquote></div><br></div>