[Freeipa-users] Inconsistant results with HBAC and SSH?
Simpson Lachlan
Lachlan.Simpson at petermac.org
Thu May 26 23:14:07 UTC 2016
With the “allow all” HBAC rule enabled, we have no trouble logging in to any machine via ssh. When we disable the “allow all” rule and make specific per-machine rules (as per the idea of ‘host based’ in HBAC), we get unpredictable results, primarily resulting in an inability to login via ssh. This result is intermittent – sometimes we can login, but sometimes we can’t.
HBAC has been created and appears fine on server
[root at vmpr-linuxidm ~]# ipa hbactest --user="pmci\ellul jason" --host=emts-facs.unix.petermac.org.au --service=ssh
--------------------
Access granted: True
--------------------
Matched rules: ad_users
Matched rules: allow_all
Matched rules: FACS Computing
Not matched rules: Computing Cluster
Using the allow_all HBAC all users can log in fine but if we disable it users can no longer always login. When the user tries to log in we see the following on the host sssd logs:
[sssd[be[unix.petermac.org.au]]] [sdap_parse_entry] (0x1000): OriginalDN: [ipaUniqueID=34fb2be6-2137-11e6-9853-005056b00bfd,cn=hbac,dc=unix,dc=petermac,dc=org,dc=au].
[sssd[be[unix.petermac.org.au]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
[sssd[be[unix.petermac.org.au]]] [hbac_attrs_to_rule] (0x1000): Processing rule [ad_users]
[sssd[be[unix.petermac.org.au]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [ad_users]
[sssd[be[unix.petermac.org.au]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [ad_users]
[sssd[be[unix.petermac.org.au]]] [hbac_get_category] (0x0200): Category is set to 'all'.
[sssd[be[unix.petermac.org.au]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [ad_users]
[sssd[be[unix.petermac.org.au]]] [hbac_get_category] (0x0200): Category is set to 'all'.
[sssd[be[unix.petermac.org.au]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [ad_users]
[sssd[be[unix.petermac.org.au]]] [hbac_attrs_to_rule] (0x1000): Processing rule [FACS Computing]
[sssd[be[unix.petermac.org.au]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [FACS Computing]
[sssd[be[unix.petermac.org.au]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [FACS Computing]
[sssd[be[unix.petermac.org.au]]] [hbac_get_category] (0x0200): Category is set to 'all'.
[sssd[be[unix.petermac.org.au]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [FACS Computing]
[sssd[be[unix.petermac.org.au]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [FACS Computing]
[sssd[be[unix.petermac.org.au]]] [hbac_eval_user_element] (0x1000): [41] groups for [Ellul Jason at petermac.org.au]
[sssd[be[unix.petermac.org.au]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules
[sssd[be[unix.petermac.org.au]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success (Permission denied)]
[sssd[be[unix.petermac.org.au]]] [be_pam_handler_callback] (0x0100): Sending result [6][petermac.org.au]
[sssd[be[unix.petermac.org.au]]] [be_pam_handler_callback] (0x0100): Sent result [6][petermac.org.au]
[sssd[pam]] [pam_dp_process_reply] (0x0200): received: [6 (Permission denied)][petermac.org.au]
[sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [6]: Permission denied.
[sssd[pam]] [pam_reply] (0x0200): blen: 32
[sssd[pam]] [client_recv] (0x0200): Client disconnected!
[sssd[nss]] [client_recv] (0x0200): Client disconnected!
Which states Access denied by HBAC rules.
On server we still see
[root at vmpr-linuxidm ~]# ipa hbactest --user="pmci\ellul jason" --host=emts-facs.unix.petermac.org.au --service=ssh
--------------------
Access granted: True
--------------------
Matched rules: ad_users
Matched rules: FACS Computing
Not matched rules: Computing Cluster
[root at vmpr-linuxidm ~]# ipa hbacrule-show
Rule name: ad_users
Rule name: ad_users
Host category: all
Service category: all
Enabled: TRUE
User Groups: ad_users
[root at vmpr-linuxidm ~]# ipa hbacrule-show
Rule name: FACS Computing
Rule name: FACS Computing
Service category: all
Description: This server is running Flow Logic. Current server name is emts-facs.unix.petermac.org.au
Enabled: TRUE
User Groups: facs-compute
Hosts: emts-facs.unix.petermac.org.au
On the host (emts-facs.unix.petermac.org.au) it shows the user is in the correct groups: 10011(facs-compute) and 1718800004(ad_users) which are both posix groups local to freeIPA
[root at emts-facs ~]# id "pmci\ellul jason"
uid=1501(jellul at petermac.org.au) gid=1501(jellul) groups=1501(jellul),1750642900(secure file transfer users at petermac.org.au),10011(facs-compute),10004(bioinf-core),10005(rcf-staff),1718800004(ad_users) (NB: group list truncated for brevity)
Cheers
L.
This email (including any attachments or links) may contain
confidential and/or legally privileged information and is
intended only to be read or used by the addressee. If you
are not the intended addressee, any use, distribution,
disclosure or copying of this email is strictly
prohibited.
Confidentiality and legal privilege attached to this email
(including any attachments) are not waived or lost by
reason of its mistaken delivery to you.
If you have received this email in error, please delete it
and notify us immediately by telephone or email. Peter
MacCallum Cancer Centre provides no guarantee that this
transmission is free of virus or that it has not been
intercepted or altered and will not be liable for any delay
in its receipt.
More information about the Freeipa-users
mailing list