[Freeipa-users] Help with debugging HBACs

Sumit Bose sbose at redhat.com
Mon Feb 16 08:40:59 UTC 2015 

On Sat, Feb 14, 2015 at 12:52:10PM -0800, Andrew Egelhofer wrote:
> Hi FreeIPA Users-
> 
> I've deployed a FreeIPA instance in my Lab, and enrolled a single host, and
> a single user ('testuser'). The only HBAC rule I currently have is the
> stock allow_all. Yet, when I attempt to log into the host via ssh, it
> closes the connection.
> 
> $ ssh testuser@<host>
> Warning: Permanently added '<host>,<host-ip>' (RSA) to the list of known
> hosts.
> testuser@<host>'s password:
> Connection closed by <host-ip>
> 
> The host I'm attempting to login to can correctly look up the user using
> getent:
> 
> # getent passwd testuser
> testuser:*:168400003:168400003:Test User:/home/testuser:/bin/bash
> 
> Scanning /var/log/secure, I see these entries:
> 
> Feb 14 12:01:50 <host> sshd[6528]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.30.3.58
>  user=testuser
> Feb 14 12:01:51 <host> sshd[6528]: pam_sss(sshd:auth): authentication
> success; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=172.30.3.58 user=testuser
> Feb 14 12:01:51 <host> sshd[6528]: pam_sss(sshd:account): Access denied for
> user testuser: 6 (Permission denied)
> 
> That tells me (From reading online) the user / password was correctly
> authenticated, but failed authorization due to HBAC rules. I've tested the
> rule using the 'hbactest' utility and it passes
> 
> [root@<Master> ~]# ipa hbactest --user=testuser --host=<host> --service=sshd
> --------------------
> Access granted: True
> --------------------
>   Matched rules: allow_all
> 
> I'm at a loss here, because If I comment out the line:
> 
> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> 
> in /etc/pam.d/system-auth, the user is able to login.
> 
> So what am I missing here? Is there a way I can debug HBAC rules? I've
> already set debug_level = 10 in /etc/sssd/sssd.conf, and I see its able to
> access the HBAC 'allow_all' rule in the log /var/log/sssd/sssd_<domain>.<dc>
> .log:
> 
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> [sdap_get_generic_done] (7): Total count [0]
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] [hbac_attrs_to_rule]
> (7): Processing rule [allow_all]
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> [hbac_user_attrs_to_rule] (7): Processing users for rule [allow_all]
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] [hbac_get_category]
> (5): Category is set to 'all'.
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> [hbac_service_attrs_to_rule] (7): Processing PAM services for rule
> [allow_all]
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] [hbac_get_category]
> (5): Category is set to 'all'.
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> [hbac_thost_attrs_to_rule] (7): Processing target hosts for rule [allow_all]
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] [hbac_get_category]
> (5): Category is set to 'all'.
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> [hbac_shost_attrs_to_rule] (7): Processing source hosts for rule [allow_all]
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> [hbac_host_attrs_to_rule] (4): No host specified, rule will never apply.
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> [hbac_eval_user_element] (7): [12] groups for [admin]
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> [hbac_eval_user_element] (7): Added group [admins] for user [admin]
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=replication
> administrators,cn=privileges,cn=pbac,dc=<domain>,dc=<dc>]
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=add
> replication agreements,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=modify
> replication agreements,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=remove
> replication agreements,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=host
> enrollment,cn=privileges,cn=pbac,dc=<domain>,dc=<dc>]
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=manage host
> keytab,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=enroll a
> host,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=add
> krbprincipalname to a host,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=unlock user
> accounts,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=manage
> service keytab,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> [hbac_eval_user_element] (7): Added group [trust admins] for user [admin]
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> [ipa_hbac_evaluate_rules] (3): Access denied by HBAC rules
> 
> IPA server:
> # rpm -q ipa-server sssd
> ipa-server-3.0.0-42.el6.centos.x86_64
> sssd-1.11.6-30.el6_6.3.x86_64
> # cat /etc/redhat-release
> CentOS release 6.5 (Final)
> 
> Client:
> # cat /etc/redhat-release
> CentOS release 5.8 (Final)
> # rpm -q sssd
> sssd-1.5.1-49.el5_8.1

This version is quite old and I guess

> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > [hbac_shost_attrs_to_rule] (7): Processing source hosts for rule [allow_all]
> (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > [hbac_host_attrs_to_rule] (4): No host specified, rule will never apply.

is causing the issue. At that time it was possible to specific source
hosts in HBAC rules. But since there is no reliable way to determine
the source host (we have to rely on the data libpam is able to give us).
we removed this in later versions. If you started with an old IPA server
the related attributes are kept during updates, but newer versions like
ipa v3 do not set them anymore.

First I would recommend to update SSSD. If there is really no wy to
update SSSD adding an attribute 'sourceHostCategory: all' to the LDAP
object of the allow_all rule might help.

HTH

bye,
Sumit
> 
> Any help is appreciated.
> 
> Thanks,
> -Andrew

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list