[Freeipa-users] Unable to access systems

Jakub Hrozek jhrozek at redhat.com
Wed Feb 12 09:30:37 UTC 2014 

On Tue, Feb 11, 2014 at 02:00:56PM -0400, Terry Soucy wrote:
> We are transitioning from one IPA instance to a new IPA instance. The
> version of IPA instances is the same, and all is functioning normally on
> the existing IPA, but when I attempt to transition a host to the new IPA
> instance, I get the following in my logs when I attempt an SSH ..
> 
> [sssd[be[dev.ca1.sfmc.co]]] [hbac_get_category] (5): Category is set to
> 'all'.
> [sssd[be[dev.ca1.sfmc.co]]] [hbac_get_category] (5): Category is set to
> 'all'.
> [sssd[be[dev.ca1.sfmc.co]]] [hbac_host_attrs_to_rule] (4): No host
> specified, rule will never apply.
> [sssd[be[dev.ca1.sfmc.co]]] [hbac_get_category] (5): Category is set to
> 'all'.
> [sssd[be[dev.ca1.sfmc.co]]] [hbac_host_attrs_to_rule] (4): No host
> specified, rule will never apply.
> [sssd[be[dev.ca1.sfmc.co]]] [ipa_hbac_evaluate_rules] (3): Access denied by
> HBAC rules
> [sssd[be[dev.ca1.sfmc.co]]] [be_pam_handler_callback] (4): Backend
> returned: (0, 6, <NULL>) [Success]

Is this all SSSD prints when processing the rules?

> 
> The HBAC rule, according to the test,

Does the hbactest utility verify the rule should grant access? If so,
then I would recomment upgrading as both hbactest and sssd share the
same underlying library (hbactest just uses python bindings).

> will grant me access since I'm in the
> appropriate group
> 
>   Rule name: hbac_techops
>   Host category: all
>   Service category: all
>   Description: TechOps Access
>   Enabled: TRUE
>   User Groups: ug-techops
> 
> I'm not sure what "No host specified, rule will never apply" means.

Normally this debug message means that the rule being processed
contains neither the 'all' category nor a direct host that matches.

> I
> attempted to add the host to the rule rather than use a hostgroup, but the
> result is the same

When you say the result is the same, do you also see "No host specified" ?

This might sound strange, but are you sure that the client is connecting
to the right server and there are no replication issues or similar?

You can also verify that the rules that you expect to be downloaded are
in fact stored in the sssd cache with:
ldbsearch -H /var/lib/sss/db/cache_$domainname

(ldbsearch is part of ldb-tools on Fedora/RHEL, not sure what package it
is on Ubuntu)


> 
> Server - RH 6.4, ipa-server-3.0.0-37.el6.x86_64
> Client - Ubuntu 10, sssd 1.5.15-0ubuntu6~lucid2

This client is rather old, is there any chance you could try a newer
version? There's been a number of fixes for HBAC since 1.5.15, including
one crasher bug..

Perhaps Timo Aaltonen might have some newer builds for Lucid in his
PPAs.

More information about the Freeipa-users mailing list