[Freeipa-users] Host based access control and IPA

[David Miller]

Rob,

Thanks, disabling the cache for group in the nscd.conf did the trick.

David.

On Jan 7, 2009, at 6:49 PM, Rob Crittenden wrote:

> David Miller wrote:
>> I'm trying to get host based access working. I followed the  
>> instructions on doing host based access control. Here is the URL to  
>> the section to see what I'm referring to.
>> http://freeipa.org/page/AdministratorsGuide#Configuring_Host-Based_Access_Control 
>>  I'm trying to limit which machines users can SSH into. I have a  
>> host setup to only allow root, a group called managers, a group  
>> called theory, and deny all at the end. What I'm finding is that if  
>> I create a user account that is not apart of either of those groups  
>> it denies access like it should. However, if I add the user to  
>> either of those groups after the user has attempted to login, it  
>> still won't let them in if they try after I add them to the group.  
>> If I create a new user and add said user to one of those groups at  
>> creation time it will allow them in like it should. After logging  
>> in once and removing the user from those groups it still allows the  
>> user to log in later. The machine using host based access control  
>> seems to be caching whether the user belongs to a group or not the  
>> first time they attempt a login. How do you force the machine to  
>> check the IPA server to see what groups the user belongs to each  
>> time they attempt to SSH in?
>>
>
> I would guess that nscd is the culprit here. It does both positive  
> and negative caching. Try restarting nscd on the client between  
> changes and it should do what you expect.
>
> nscd can be annoying like this but it does help keep the LDAP load  
> down. If this really annoys you you can:
>
> - disable nscd on clients
> - tune the positive and negative caches in /etc/nscd.conf on each  
> client
>
> nscd provides a lot of knobs to turn which is nice.
>
> rob