[Freeipa-users] Error message when denied by HBAC

[Stephen Gallagher]

On Tue, 2011-09-06 at 20:58 +0200, Sigbjorn Lie wrote:
> On 09/06/2011 08:37 PM, Stephen Gallagher wrote:
> > On Tue, 2011-09-06 at 20:04 +0200, Sigbjorn Lie wrote:
> >> Hi,
> >>
> >> I attempt a login with a user account that's being denied access to the
> >> host via HBAC, I receive the following generic error message.
> >>
> >> Sep  6 20:02:03 ipa01 sshd[11592]: pam_sss(sshd:account): Access denied
> >> for user username: 4 (System error)
> >>
> >>
> >> Would it be an idea to change this to advise that the user login was
> >> denied due to HBAC rules? I see this is a bit confusing.
> >
> > "System error" means that something went wrong with processing. It
> > defaults to DENY (to be safe), but it's actually an error.
> >
> > What version of SSSD are you running on the client? We fixed a fair
> > number of HBAC bugs in the 1.5.13 release (which is currently in the
> > updates-testing repos for F14, F15 and F16).
> 
> sssd-1.5.12-1.fc15.x86_64
> sssd-client-1.5.12-1.fc15.x86_64
> 
> I see there's some problems. :)
> 
> I cannot log in if no exactly the user is mentioned and exactly the host 
> mentioned in the rule. If I attempt to use user groups and host groups 
> in a hbac rule, I receive the error above. Was there a related bug fixed 
> in 1.5.13?

https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.13

Yes, there were three HBAC bugs fixed. User groups and host groups now
work properly. (The other bug was related to groups with no mumbers).

Please try sssd-1.5.13-1.fc15.2 from updates-testing (actually, it looks
like it hasn't hit the mirrors yet, so wait a day or so).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110906/ec6f801d/attachment.sig>