[Freeipa-users] [Solved] Help with debugging HBACs

Andrew Egelhofer aegelhofer at rubiconproject.com
Tue Feb 17 23:47:39 UTC 2015 

Hi Sumit & FreeIPA Users-

Your suggestion on updating the version of sssd worked like a charm.
Consider this issue solved.

Thanks Everyone,
-Andrew

On Mon, Feb 16, 2015 at 12:32 PM, Andrew Egelhofer <
aegelhofer at rubiconproject.com> wrote:

> ​Thank you for the reply Sumit - I will look into updating the version of
> sssd. If that doesn't work, I will also try adding the
> ​'sourceHostCategory' attribute to rules. Though, I would imagine I would
> have to do this for *all* rules if I want them to work as intended. I'll
> report back my findings tomorrow.
>
> Thanks,
> -Andrew
>
> On Mon, Feb 16, 2015 at 12:40 AM, Sumit Bose <sbose at redhat.com> wrote:
>
>> On Sat, Feb 14, 2015 at 12:52:10PM -0800, Andrew Egelhofer wrote:
>> > Hi FreeIPA Users-
>> >
>> > I've deployed a FreeIPA instance in my Lab, and enrolled a single host,
>> and
>> > a single user ('testuser'). The only HBAC rule I currently have is the
>> > stock allow_all. Yet, when I attempt to log into the host via ssh, it
>> > closes the connection.
>> >
>> > $ ssh testuser@<host>
>> > Warning: Permanently added '<host>,<host-ip>' (RSA) to the list of known
>> > hosts.
>> > testuser@<host>'s password:
>> > Connection closed by <host-ip>
>> >
>> > The host I'm attempting to login to can correctly look up the user using
>> > getent:
>> >
>> > # getent passwd testuser
>> > testuser:*:168400003:168400003:Test User:/home/testuser:/bin/bash
>> >
>> > Scanning /var/log/secure, I see these entries:
>> >
>> > Feb 14 12:01:50 <host> sshd[6528]: pam_unix(sshd:auth): authentication
>> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.30.3.58
>> >  user=testuser
>> > Feb 14 12:01:51 <host> sshd[6528]: pam_sss(sshd:auth): authentication
>> > success; logname= uid=0 euid=0 tty=ssh ruser=
>> > rhost=172.30.3.58 user=testuser
>> > Feb 14 12:01:51 <host> sshd[6528]: pam_sss(sshd:account): Access denied
>> for
>> > user testuser: 6 (Permission denied)
>> >
>> > That tells me (From reading online) the user / password was correctly
>> > authenticated, but failed authorization due to HBAC rules. I've tested
>> the
>> > rule using the 'hbactest' utility and it passes
>> >
>> > [root@<Master> ~]# ipa hbactest --user=testuser --host=<host>
>> --service=sshd
>> > --------------------
>> > Access granted: True
>> > --------------------
>> >   Matched rules: allow_all
>> >
>> > I'm at a loss here, because If I comment out the line:
>> >
>> > account     [default=bad success=ok user_unknown=ignore] pam_sss.so
>> >
>> > in /etc/pam.d/system-auth, the user is able to login.
>> >
>> > So what am I missing here? Is there a way I can debug HBAC rules? I've
>> > already set debug_level = 10 in /etc/sssd/sssd.conf, and I see its able
>> to
>> > access the HBAC 'allow_all' rule in the log
>> /var/log/sssd/sssd_<domain>.<dc>
>> > .log:
>> >
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> > [sdap_get_generic_done] (7): Total count [0]
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> [hbac_attrs_to_rule]
>> > (7): Processing rule [allow_all]
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> > [hbac_user_attrs_to_rule] (7): Processing users for rule [allow_all]
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] [hbac_get_category]
>> > (5): Category is set to 'all'.
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> > [hbac_service_attrs_to_rule] (7): Processing PAM services for rule
>> > [allow_all]
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] [hbac_get_category]
>> > (5): Category is set to 'all'.
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> > [hbac_thost_attrs_to_rule] (7): Processing target hosts for rule
>> [allow_all]
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] [hbac_get_category]
>> > (5): Category is set to 'all'.
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> > [hbac_shost_attrs_to_rule] (7): Processing source hosts for rule
>> [allow_all]
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> > [hbac_host_attrs_to_rule] (4): No host specified, rule will never apply.
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> > [hbac_eval_user_element] (7): [12] groups for [admin]
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> > [hbac_eval_user_element] (7): Added group [admins] for user [admin]
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> > [hbac_eval_user_element] (8): Skipping non-group memberOf
>> [cn=replication
>> > administrators,cn=privileges,cn=pbac,dc=<domain>,dc=<dc>]
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=add
>> > replication agreements,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=modify
>> > replication agreements,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=remove
>> > replication agreements,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=host
>> > enrollment,cn=privileges,cn=pbac,dc=<domain>,dc=<dc>]
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=manage
>> host
>> > keytab,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=enroll a
>> > host,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=add
>> > krbprincipalname to a host,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=unlock
>> user
>> > accounts,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=manage
>> > service keytab,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> > [hbac_eval_user_element] (7): Added group [trust admins] for user
>> [admin]
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
>> > [ipa_hbac_evaluate_rules] (3): Access denied by HBAC rules
>> >
>> > IPA server:
>> > # rpm -q ipa-server sssd
>> > ipa-server-3.0.0-42.el6.centos.x86_64
>> > sssd-1.11.6-30.el6_6.3.x86_64
>> > # cat /etc/redhat-release
>> > CentOS release 6.5 (Final)
>> >
>> > Client:
>> > # cat /etc/redhat-release
>> > CentOS release 5.8 (Final)
>> > # rpm -q sssd
>> > sssd-1.5.1-49.el5_8.1
>>
>> This version is quite old and I guess
>>
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] >
>> [hbac_shost_attrs_to_rule] (7): Processing source hosts for rule [allow_all]
>> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] >
>> [hbac_host_attrs_to_rule] (4): No host specified, rule will never apply.
>>
>> is causing the issue. At that time it was possible to specific source
>> hosts in HBAC rules. But since there is no reliable way to determine
>> the source host (we have to rely on the data libpam is able to give us).
>> we removed this in later versions. If you started with an old IPA server
>> the related attributes are kept during updates, but newer versions like
>> ipa v3 do not set them anymore.
>>
>> First I would recommend to update SSSD. If there is really no wy to
>> update SSSD adding an attribute 'sourceHostCategory: all' to the LDAP
>> object of the allow_all rule might help.
>>
>> HTH
>>
>> bye,
>> Sumit
>> >
>> > Any help is appreciated.
>> >
>> > Thanks,
>> > -Andrew
>>
>> > --
>> > Manage your subscription for the Freeipa-users mailing list:
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > Go To http://freeipa.org for more info on the project
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150217/fcab023f/attachment.htm>

More information about the Freeipa-users mailing list