[Freeipa-users] Error message when denied by HBAC
Sigbjorn Lie
sigbjorn at nixtra.com
Tue Sep 6 18:58:49 UTC 2011
On 09/06/2011 08:37 PM, Stephen Gallagher wrote:
> On Tue, 2011-09-06 at 20:04 +0200, Sigbjorn Lie wrote:
>> Hi,
>>
>> I attempt a login with a user account that's being denied access to the
>> host via HBAC, I receive the following generic error message.
>>
>> Sep 6 20:02:03 ipa01 sshd[11592]: pam_sss(sshd:account): Access denied
>> for user username: 4 (System error)
>>
>>
>> Would it be an idea to change this to advise that the user login was
>> denied due to HBAC rules? I see this is a bit confusing.
>
> "System error" means that something went wrong with processing. It
> defaults to DENY (to be safe), but it's actually an error.
>
> What version of SSSD are you running on the client? We fixed a fair
> number of HBAC bugs in the 1.5.13 release (which is currently in the
> updates-testing repos for F14, F15 and F16).
sssd-1.5.12-1.fc15.x86_64
sssd-client-1.5.12-1.fc15.x86_64
I see there's some problems. :)
I cannot log in if no exactly the user is mentioned and exactly the host
mentioned in the rule. If I attempt to use user groups and host groups
in a hbac rule, I receive the error above. Was there a related bug fixed
in 1.5.13?
Rgds,
Siggi
More information about the Freeipa-users
mailing list