[Freeipa-users] HBAC access denied, all AD groups not detected
Sauls, Jeff
Jeff.Sauls at photomask.com
Mon Dec 7 20:04:26 UTC 2015
> Jakub Hrozek wrote:
>
> On Fri, Dec 04, 2015 at 02:03:04PM -0600, Sauls, Jeff wrote:
> > Hello,
> >
> > We are having a problem with HBAC that appears to be related to group
> > membership lookup. I am testing with a new install on RHEL 7.2 with a
> > cross-forest trust with AD. When an AD user attempts to log into a
> > client (RH 6.7 or 7.2) the "hbac_eval_user_element" can report a
> > different number of groups each time and never seems to contain the full list.
> > For the testing account, running the 'id' command returns 153 groups.
> > The ipa group "ad_admin" has setup to be able to log in anywhere,
> > everyone else is denied. With the default allow_all rule enabled,
> > everything works as expected. Any ideas on where I can look next?
>
> I assume the group membership is OK on the server, but not the client? Can you
> enable debugging and also include the full logs from the client after doing
> sss_cache -E on the client?
I've done some more testing and installed a RHEL 6.6 client, the issue doesn't occur there since it is not pulling in AD groups, it only shows the single POSIX group. The server is running 7.2 and I get the same issue logging into it.
This is the log section for a login that failed due to "Access denied by HBAC rules" http://pastebin.com/paiBjG96
It shows it failing with 112 groups, but I've had it pass at 113 and fail on another user at 66.
More information about the Freeipa-users
mailing list