[Freeipa-users] Host based access control and IPA
David Miller
millerdc at fusion.gat.com
Thu Jan 8 18:08:10 UTC 2009
Rob,
Thanks, disabling the cache for group in the nscd.conf did the trick.
David.
On Jan 7, 2009, at 6:49 PM, Rob Crittenden wrote:
> David Miller wrote:
>> I'm trying to get host based access working. I followed the
>> instructions on doing host based access control. Here is the URL to
>> the section to see what I'm referring to.
>> http://freeipa.org/page/AdministratorsGuide#Configuring_Host-Based_Access_Control
>> I'm trying to limit which machines users can SSH into. I have a
>> host setup to only allow root, a group called managers, a group
>> called theory, and deny all at the end. What I'm finding is that if
>> I create a user account that is not apart of either of those groups
>> it denies access like it should. However, if I add the user to
>> either of those groups after the user has attempted to login, it
>> still won't let them in if they try after I add them to the group.
>> If I create a new user and add said user to one of those groups at
>> creation time it will allow them in like it should. After logging
>> in once and removing the user from those groups it still allows the
>> user to log in later. The machine using host based access control
>> seems to be caching whether the user belongs to a group or not the
>> first time they attempt a login. How do you force the machine to
>> check the IPA server to see what groups the user belongs to each
>> time they attempt to SSH in?
>>
>
> I would guess that nscd is the culprit here. It does both positive
> and negative caching. Try restarting nscd on the client between
> changes and it should do what you expect.
>
> nscd can be annoying like this but it does help keep the LDAP load
> down. If this really annoys you you can:
>
> - disable nscd on clients
> - tune the positive and negative caches in /etc/nscd.conf on each
> client
>
> nscd provides a lot of knobs to turn which is nice.
>
> rob
More information about the Freeipa-users
mailing list