[Freeipa-users] Host based access control and IPA

[Rob Crittenden]

David Miller wrote:
> I'm trying to get host based access working. I followed the instructions 
> on doing host based access control. Here is the URL to the section to 
> see what I'm referring to.
> 
> http://freeipa.org/page/AdministratorsGuide#Configuring_Host-Based_Access_Control 
> 
> 
> I'm trying to limit which machines users can SSH into. I have a host 
> setup to only allow root, a group called managers, a group called 
> theory, and deny all at the end. What I'm finding is that if I create a 
> user account that is not apart of either of those groups it denies 
> access like it should. However, if I add the user to either of those 
> groups after the user has attempted to login, it still won't let them in 
> if they try after I add them to the group. If I create a new user and 
> add said user to one of those groups at creation time it will allow them 
> in like it should. After logging in once and removing the user from 
> those groups it still allows the user to log in later. The machine using 
> host based access control seems to be caching whether the user belongs 
> to a group or not the first time they attempt a login. How do you force 
> the machine to check the IPA server to see what groups the user belongs 
> to each time they attempt to SSH in?
>

I would guess that nscd is the culprit here. It does both positive and 
negative caching. Try restarting nscd on the client between changes and 
it should do what you expect.

nscd can be annoying like this but it does help keep the LDAP load down. 
If this really annoys you you can:

- disable nscd on clients
- tune the positive and negative caches in /etc/nscd.conf on each client

nscd provides a lot of knobs to turn which is nice.

rob