[Freeipa-users] sssd receives another uid/gid after disabled HBAC rule

Gregor Bregenzer gregor.bregenzer at gmail.com
Sun Sep 7 21:41:16 UTC 2014 

Hi!

I have an AD trust with FreeIPA 4.0.1 and defined a HBAC rule for a
specific user group (=ad_users which is an posix group that has an
external group as member) to login on a specific client
(=linux1.linux.intern).

The problem is: once i disable the rule and the AD user is not allowed
to login anymore, the user on the client gets another uid and gid via
sssd.

I use the posix attributes from AD, which will get received by sssd perfectly.
The client is running on CentOS 6.5 and uses sssd 1.9.2.129.el6_5.4
AD domain = aaa.intern
IPA domain = linux.intern
AD-User: user1   (uid=1005,gid=10005)

Here an example:
----------------------------
1.) disable the hbac rule and the default allow_all rule:
2.) check the uid/gid on the client (=linux1.linux.intern) and it looks fine:

[root at linux1 sssd]# getent passwd user1 at aaa
user1 at aaa.intern:*:10005:10005::/home/user1 at aaa.intern:/bin/bash

3.) Login with ssh to client as user1. It will be denied upon correct
password input and ssh sessions closes. Up until now everything as
expected. But now:

4.) check for the uid/gid on the client - something totally different.
It now also receives the Firstname and Lastname from AD, latter is
empty:

[root at linux1 sssd]# getent passwd user1 at aaa
user1 at aaa.intern:*:11601:11601:user1:/home/user1 at aaa.intern:/bin/bash

5.) Enable the hbac rule and login works, but the unexpected uid/gid
stays the same:

login as: user1 at aaa
user1 at aaa@192.168.0.100's password:
login as: user1 at aaa
user1 at aaa@192.168.0.100's password:
Last failed login: Sun Sep  7 23:19:49 CEST 2014 from 192.168.0.26 on ssh:notty
There were 2 failed login attempts since the last successful login.
Creating home directory for user1 at aaa.
Last login: Sun Sep  7 23:21:02 2014 from 192.168.0.26
[user1 at aaa.intern@linux1 ~]$ id
uid=11601(user1 at aaa.intern) gid=11601(user1 at aaa.intern)
Gruppen=11601(user1 at aaa.intern),1933000004(ad_users)
[user1 at aaa.intern@linux1 ~]$
---------------------------------

Anyone have a clue what might be the problem?

Here's the sssd.conf:
[root at linux1 sssd]# cat /etc/sssd/sssd.conf
[domain/linux.intern]
debug_level=6
cache_credentials = False
krb5_store_password_if_offline = False
ipa_domain = linux.intern
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = linux1.linux.intern
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa1.linux.intern
ldap_tls_cacert = /etc/ipa/ca.crt
use_fully_qualified_domains = True
# For the SUDO integration
sudo_provider = ldap
ldap_uri = ldap://ipa1.linux.intern
ldap_sudo_search_base = ou=sudoers,dc=linux,dc=intern
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/linux1.linux.intern
ldap_sasl_realm = LINUX.INTERN
krb5_server = ipa1.linux.intern
entry_cache_sudo_timeout = 30
[sssd]
debug_level=6
services = nss, pam, ssh, sudo
config_file_version = 2
default_domain_suffix=aaa.intern
domains = linux.intern
[nss]
debug_level=9
override_homedir = /home/%u
override_shell = /bin/bash
[pam]
debug_level=6
[sudo]
debug_level=6
[autofs]

[ssh]
debug_level=6
[pac]



Thanks!
Gregor

More information about the Freeipa-users mailing list