[Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Thu Jul 14 12:02:53 UTC 2016

Hi,

I have a brief follow up question regarding this issue; 

I’m actually not bent on using HBAC; it is a nice feature and I’d like to use it, but at the end of the day I’m not married to the idea of managing this type of policy centrally; in theory, group or user based access control using AllowGroups/AllowUsers in sshd_config should work, as long as GSSAPIAuthentication and UsePAM are enabled, right? I’ve seen a couple of threads that suggest this is possible, although I haven’t seen it explicitly mentioned anywhere in the documentation.

I’ve made a brief failed attempt at getting sshd authentication working using AllowGroups in sshd_config, however I haven’t spent a whole lot of time on it yet (I’m running into some issues with PAM, presumably to pre-existing problems with group enumeration).

I’m growing concerned about our upcoming IPA implementation because as of now I don’t have a known workaround to the issue described in this thread (it is impacting more than one client).  Any advice with respect to a viable workaround to this issue would be appreciated.

Thank you so much for your ongoing support.

Best,

Dan

> On Jul 13, 2016, at 2:14 PM, Sullivan, Daniel [AAA] <dsullivan2 at bsd.uchicago.edu> wrote:
> 
> Jakub, Justin,
> 
> Thank you both very much for taking the time to continue helping me resolve this issue.  I apologize for not replying right away; I’ve been dealing with a production issue for most of the morning.
> 
> An invocation of ‘id a.cri.dsullivan at bsdad.uchicago.edu<mailto:a.cri.dsullivan at bsdad.uchicago.edu>’ on the IPA DC shows me as a member of the POSIX IPA group (cri_server_administrators_ipa at ipa.cri.uchicago.edu<mailto:cri_server_administrators_ipa at ipa.cri.uchicago.edu>) as well as the AD domain group in the trusted domain (cri-aaa_server_administrators at bsdad.uchicago.edu<mailto:cri-aaa_server_administrators at bsdad.uchicago.edu>).  This remains consistent across any number of successful sshd logins into the DC using my a.cri.dsullivan at bsdad.uchicago<mailto:a.cri.dsullivan at bsdad.uchicago>.edu account, including after clearing the cache on the DC.
> 
> On the client, I am seeing some unusual behavior.  If I run the commands 'sss_cache -E; service sssd stop ; rm -rf /var/log/sssd/* ; service sssd start’ , then run ‘id a.cri.dsullivan at bsdad.uchicago.edu<mailto:a.cri.dsullivan at bsdad.uchicago.edu>’, I see the POSIX IPA group as well as the AD domain group as described above (what I presumably want and expect).  However (and this is the unusual part), if I attempt to login via SSH (it will fail with HBAC validation), and then run the ‘id a.cri.dsullivan at bsdad.uchicago.edu<mailto:a.cri.dsullivan at bsdad.uchicago.edu>’ command again , the POSIX IPA group disappears from the list of groups output by the id command.  From what I can tell, this group will not reappear in the group list on the client until the client cache is cleared.  Presumably this behavior is related to the HBAC authentication errors I am experiencing.  I have cleared the cache on both the DC and the client using ssh_cache -E and this behavior is still exhibited.  With respect to output from testing:
> 
> 1) The sssd domain log from from the client of the initial id invocation (both groups appear) after clearing the cache (on the client) can be found here (this output contains both groups): https://gist.github.com/dsulli99/7117f8d567cc7cdf727d474b0aeab8da<http://pastebin.com/BpAHfYEP>
> 2) The sssd domain log from the client for the failed sshd login (similar to the output I provided yesterday, however re-captured) can be found here (after this operation the IPA group disappears from the list of groups from the id command): https://gist.github.com/dsulli99/668a8799709ff0cd311b321206591124<http://pastebin.com/tnuAbvmV>
> 3) The DC log (after the client cache is cleared) of my running the id invocation (from the client) can be found here (this is the DC side of 1) from above. https://gist.github.com/dsulli99/a2a5e80b6a8b143afa20024aa40a7b39
> 4) The DC log of the the failed sshd login into the client (this is the DC side of 2) from above is https://gist.github.com/dsulli99/4e3ba53c942ad78d7487ae51da92007e
> 
> I really appreciate your help with looking at this issue.  As I said I have another machine built from the same image that this is working fine on.  I am going to keep plugging away at this, I will let you know if I come up with anything.
> 
> Dan
> 
> 
> 
> ********************************************************************************
> This e-mail is intended only for the use of the individual or entity to which
> it is addressed and may contain information that is privileged and confidential.
> If the reader of this e-mail message is not the intended recipient, you are 
> hereby notified that any dissemination, distribution or copying of this
> communication is prohibited. If you have received this e-mail in error, please 
> notify the sender and destroy all copies of the transmittal. 
> 
> Thank you
> University of Chicago Medicine and Biological Sciences 
> ********************************************************************************
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

********************************************************************************
This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please 
notify the sender and destroy all copies of the transmittal. 

Thank you
University of Chicago Medicine and Biological Sciences 
********************************************************************************