[Freeipa-users] Unable to access systems

Terry Soucy tsoucy at salesforce.com
Tue Feb 11 18:00:56 UTC 2014 

We are transitioning from one IPA instance to a new IPA instance. The
version of IPA instances is the same, and all is functioning normally on
the existing IPA, but when I attempt to transition a host to the new IPA
instance, I get the following in my logs when I attempt an SSH ..

[sssd[be[dev.ca1.sfmc.co]]] [hbac_get_category] (5): Category is set to
'all'.
[sssd[be[dev.ca1.sfmc.co]]] [hbac_get_category] (5): Category is set to
'all'.
[sssd[be[dev.ca1.sfmc.co]]] [hbac_host_attrs_to_rule] (4): No host
specified, rule will never apply.
[sssd[be[dev.ca1.sfmc.co]]] [hbac_get_category] (5): Category is set to
'all'.
[sssd[be[dev.ca1.sfmc.co]]] [hbac_host_attrs_to_rule] (4): No host
specified, rule will never apply.
[sssd[be[dev.ca1.sfmc.co]]] [ipa_hbac_evaluate_rules] (3): Access denied by
HBAC rules
[sssd[be[dev.ca1.sfmc.co]]] [be_pam_handler_callback] (4): Backend
returned: (0, 6, <NULL>) [Success]

The HBAC rule, according to the test, will grant me access since I'm in the
appropriate group

  Rule name: hbac_techops
  Host category: all
  Service category: all
  Description: TechOps Access
  Enabled: TRUE
  User Groups: ug-techops

I'm not sure what "No host specified, rule will never apply" means. I
attempted to add the host to the rule rather than use a hostgroup, but the
result is the same

Server - RH 6.4, ipa-server-3.0.0-37.el6.x86_64
Client - Ubuntu 10, sssd 1.5.15-0ubuntu6~lucid2

sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = dev.ca1.sfmc.co

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/dev.ca1.sfmc.co]
debug_level = 5
enumerate = true
cache_credentials = true

id_provider = ipa
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa

krb5_store_password_if_offline = True
ipa_server = _srv_
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_realm = SFMC.CO
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15
ipa_hostname = vm3118.dev.ca1.sfmc.co



-- 
Terry Soucy - Systems Engineer
Salesforce MarketingCloud - http://www.salesforce.com
(o) 506.631.7445 (c) 506.609.3247 | (e) tsoucy at salesforce.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140211/13a8c222/attachment.htm>

More information about the Freeipa-users mailing list