[Freeipa-users] [Solved] Help with debugging HBACs

Sumit Bose sbose at redhat.com
Wed Feb 18 08:06:48 UTC 2015 

On Tue, Feb 17, 2015 at 03:47:39PM -0800, Andrew Egelhofer wrote:
> Hi Sumit & FreeIPA Users-
> 
> Your suggestion on updating the version of sssd worked like a charm.
> Consider this issue solved.

Thank you for the feedback, glad I could help.

bye,
Sumit

> 
> Thanks Everyone,
> -Andrew
> 
> On Mon, Feb 16, 2015 at 12:32 PM, Andrew Egelhofer <
> aegelhofer at rubiconproject.com> wrote:
> 
> > ​Thank you for the reply Sumit - I will look into updating the version of
> > sssd. If that doesn't work, I will also try adding the
> > ​'sourceHostCategory' attribute to rules. Though, I would imagine I would
> > have to do this for *all* rules if I want them to work as intended. I'll
> > report back my findings tomorrow.
> >
> > Thanks,
> > -Andrew
> >
> > On Mon, Feb 16, 2015 at 12:40 AM, Sumit Bose <sbose at redhat.com> wrote:
> >
> >> On Sat, Feb 14, 2015 at 12:52:10PM -0800, Andrew Egelhofer wrote:
> >> > Hi FreeIPA Users-
> >> >
> >> > I've deployed a FreeIPA instance in my Lab, and enrolled a single host,
> >> and
> >> > a single user ('testuser'). The only HBAC rule I currently have is the
> >> > stock allow_all. Yet, when I attempt to log into the host via ssh, it
> >> > closes the connection.
> >> >
> >> > $ ssh testuser@<host>
> >> > Warning: Permanently added '<host>,<host-ip>' (RSA) to the list of known
> >> > hosts.
> >> > testuser@<host>'s password:
> >> > Connection closed by <host-ip>
> >> >
> >> > The host I'm attempting to login to can correctly look up the user using
> >> > getent:
> >> >
> >> > # getent passwd testuser
> >> > testuser:*:168400003:168400003:Test User:/home/testuser:/bin/bash
> >> >
> >> > Scanning /var/log/secure, I see these entries:
> >> >
> >> > Feb 14 12:01:50 <host> sshd[6528]: pam_unix(sshd:auth): authentication
> >> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.30.3.58
> >> >  user=testuser
> >> > Feb 14 12:01:51 <host> sshd[6528]: pam_sss(sshd:auth): authentication
> >> > success; logname= uid=0 euid=0 tty=ssh ruser=
> >> > rhost=172.30.3.58 user=testuser
> >> > Feb 14 12:01:51 <host> sshd[6528]: pam_sss(sshd:account): Access denied
> >> for
> >> > user testuser: 6 (Permission denied)
> >> >
> >> > That tells me (From reading online) the user / password was correctly
> >> > authenticated, but failed authorization due to HBAC rules. I've tested
> >> the
> >> > rule using the 'hbactest' utility and it passes
> >> >
> >> > [root@<Master> ~]# ipa hbactest --user=testuser --host=<host>
> >> --service=sshd
> >> > --------------------
> >> > Access granted: True
> >> > --------------------
> >> >   Matched rules: allow_all
> >> >
> >> > I'm at a loss here, because If I comment out the line:
> >> >
> >> > account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> >> >
> >> > in /etc/pam.d/system-auth, the user is able to login.
> >> >
> >> > So what am I missing here? Is there a way I can debug HBAC rules? I've
> >> > already set debug_level = 10 in /etc/sssd/sssd.conf, and I see its able
> >> to
> >> > access the HBAC 'allow_all' rule in the log
> >> /var/log/sssd/sssd_<domain>.<dc>
> >> > .log:
> >> >
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> > [sdap_get_generic_done] (7): Total count [0]
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> [hbac_attrs_to_rule]
> >> > (7): Processing rule [allow_all]
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> > [hbac_user_attrs_to_rule] (7): Processing users for rule [allow_all]
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] [hbac_get_category]
> >> > (5): Category is set to 'all'.
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> > [hbac_service_attrs_to_rule] (7): Processing PAM services for rule
> >> > [allow_all]
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] [hbac_get_category]
> >> > (5): Category is set to 'all'.
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> > [hbac_thost_attrs_to_rule] (7): Processing target hosts for rule
> >> [allow_all]
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] [hbac_get_category]
> >> > (5): Category is set to 'all'.
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> > [hbac_shost_attrs_to_rule] (7): Processing source hosts for rule
> >> [allow_all]
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> > [hbac_host_attrs_to_rule] (4): No host specified, rule will never apply.
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> > [hbac_eval_user_element] (7): [12] groups for [admin]
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> > [hbac_eval_user_element] (7): Added group [admins] for user [admin]
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> > [hbac_eval_user_element] (8): Skipping non-group memberOf
> >> [cn=replication
> >> > administrators,cn=privileges,cn=pbac,dc=<domain>,dc=<dc>]
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=add
> >> > replication agreements,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=modify
> >> > replication agreements,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=remove
> >> > replication agreements,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=host
> >> > enrollment,cn=privileges,cn=pbac,dc=<domain>,dc=<dc>]
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=manage
> >> host
> >> > keytab,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=enroll a
> >> > host,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=add
> >> > krbprincipalname to a host,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=unlock
> >> user
> >> > accounts,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=manage
> >> > service keytab,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>]
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> > [hbac_eval_user_element] (7): Added group [trust admins] for user
> >> [admin]
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]]
> >> > [ipa_hbac_evaluate_rules] (3): Access denied by HBAC rules
> >> >
> >> > IPA server:
> >> > # rpm -q ipa-server sssd
> >> > ipa-server-3.0.0-42.el6.centos.x86_64
> >> > sssd-1.11.6-30.el6_6.3.x86_64
> >> > # cat /etc/redhat-release
> >> > CentOS release 6.5 (Final)
> >> >
> >> > Client:
> >> > # cat /etc/redhat-release
> >> > CentOS release 5.8 (Final)
> >> > # rpm -q sssd
> >> > sssd-1.5.1-49.el5_8.1
> >>
> >> This version is quite old and I guess
> >>
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] >
> >> [hbac_shost_attrs_to_rule] (7): Processing source hosts for rule [allow_all]
> >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] >
> >> [hbac_host_attrs_to_rule] (4): No host specified, rule will never apply.
> >>
> >> is causing the issue. At that time it was possible to specific source
> >> hosts in HBAC rules. But since there is no reliable way to determine
> >> the source host (we have to rely on the data libpam is able to give us).
> >> we removed this in later versions. If you started with an old IPA server
> >> the related attributes are kept during updates, but newer versions like
> >> ipa v3 do not set them anymore.
> >>
> >> First I would recommend to update SSSD. If there is really no wy to
> >> update SSSD adding an attribute 'sourceHostCategory: all' to the LDAP
> >> object of the allow_all rule might help.
> >>
> >> HTH
> >>
> >> bye,
> >> Sumit
> >> >
> >> > Any help is appreciated.
> >> >
> >> > Thanks,
> >> > -Andrew
> >>
> >> > --
> >> > Manage your subscription for the Freeipa-users mailing list:
> >> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >> > Go To http://freeipa.org for more info on the project
> >>
> >>
> >

More information about the Freeipa-users mailing list