[Freeipa-users] HBAC access denied, all AD groups not detected
Jakub Hrozek
jhrozek at redhat.com
Mon Dec 7 20:52:20 UTC 2015
On Mon, Dec 07, 2015 at 02:04:26PM -0600, Sauls, Jeff wrote:
> > Jakub Hrozek wrote:
> >
> > On Fri, Dec 04, 2015 at 02:03:04PM -0600, Sauls, Jeff wrote:
> > > Hello,
> > >
> > > We are having a problem with HBAC that appears to be related to group
> > > membership lookup. I am testing with a new install on RHEL 7.2 with a
> > > cross-forest trust with AD. When an AD user attempts to log into a
> > > client (RH 6.7 or 7.2) the "hbac_eval_user_element" can report a
> > > different number of groups each time and never seems to contain the full list.
> > > For the testing account, running the 'id' command returns 153 groups.
> > > The ipa group "ad_admin" has setup to be able to log in anywhere,
> > > everyone else is denied. With the default allow_all rule enabled,
> > > everything works as expected. Any ideas on where I can look next?
> >
> > I assume the group membership is OK on the server, but not the client? Can you
> > enable debugging and also include the full logs from the client after doing
> > sss_cache -E on the client?
>
> I've done some more testing and installed a RHEL 6.6 client, the issue doesn't occur there since it is not pulling in AD groups, it only shows the single POSIX group. The server is running 7.2 and I get the same issue logging into it.
To make sure I understand -- the group you expect to be returned on the
server is not either? So there is a consistent failure on the server as
well?
(It's important to see where the failure is, the server and the client
use different methods to obtain the group memberships. The server talks
directly to the AD, the clients talk to the server)
>
> This is the log section for a login that failed due to "Access denied by HBAC rules" http://pastebin.com/paiBjG96
> It shows it failing with 112 groups, but I've had it pass at 113 and fail on another user at 66.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list