[Freeipa-users] Inconsistant results with HBAC and SSH?

Simpson Lachlan Lachlan.Simpson at petermac.org
Thu May 26 23:14:07 UTC 2016 

With the “allow all” HBAC rule enabled, we have no trouble logging in to any machine via ssh. When we disable the “allow all” rule and make specific per-machine rules (as per the idea of ‘host based’ in HBAC), we get unpredictable results, primarily resulting in an inability to login via ssh. This result is intermittent – sometimes we can login, but sometimes we can’t.



HBAC has been created and appears fine on server
[root at vmpr-linuxidm ~]# ipa hbactest --user="pmci\ellul jason" --host=emts-facs.unix.petermac.org.au --service=ssh
--------------------
Access granted: True
--------------------
  Matched rules: ad_users
  Matched rules: allow_all
  Matched rules: FACS Computing
  Not matched rules: Computing Cluster


Using the allow_all HBAC all users can log in fine but if we disable it users can no longer always login. When the user tries to log in we see the following on the host sssd logs:

[sssd[be[unix.petermac.org.au]]] [sdap_parse_entry] (0x1000): OriginalDN: [ipaUniqueID=34fb2be6-2137-11e6-9853-005056b00bfd,cn=hbac,dc=unix,dc=petermac,dc=org,dc=au].
[sssd[be[unix.petermac.org.au]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
[sssd[be[unix.petermac.org.au]]] [hbac_attrs_to_rule] (0x1000): Processing rule [ad_users]
[sssd[be[unix.petermac.org.au]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [ad_users]
[sssd[be[unix.petermac.org.au]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [ad_users]
[sssd[be[unix.petermac.org.au]]] [hbac_get_category] (0x0200): Category is set to 'all'.
[sssd[be[unix.petermac.org.au]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [ad_users]
[sssd[be[unix.petermac.org.au]]] [hbac_get_category] (0x0200): Category is set to 'all'.
[sssd[be[unix.petermac.org.au]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [ad_users]
[sssd[be[unix.petermac.org.au]]] [hbac_attrs_to_rule] (0x1000): Processing rule [FACS Computing]
[sssd[be[unix.petermac.org.au]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [FACS Computing]
[sssd[be[unix.petermac.org.au]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [FACS Computing]
[sssd[be[unix.petermac.org.au]]] [hbac_get_category] (0x0200): Category is set to 'all'.
[sssd[be[unix.petermac.org.au]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [FACS Computing]
[sssd[be[unix.petermac.org.au]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [FACS Computing]
[sssd[be[unix.petermac.org.au]]] [hbac_eval_user_element] (0x1000): [41] groups for [Ellul Jason at petermac.org.au]
[sssd[be[unix.petermac.org.au]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules
[sssd[be[unix.petermac.org.au]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success (Permission denied)]
[sssd[be[unix.petermac.org.au]]] [be_pam_handler_callback] (0x0100): Sending result [6][petermac.org.au]
[sssd[be[unix.petermac.org.au]]] [be_pam_handler_callback] (0x0100): Sent result [6][petermac.org.au]
[sssd[pam]] [pam_dp_process_reply] (0x0200): received: [6 (Permission denied)][petermac.org.au]
[sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [6]: Permission denied.
[sssd[pam]] [pam_reply] (0x0200): blen: 32
[sssd[pam]] [client_recv] (0x0200): Client disconnected!
[sssd[nss]] [client_recv] (0x0200): Client disconnected!


Which states Access denied by HBAC rules.

On server we still see
[root at vmpr-linuxidm ~]# ipa hbactest --user="pmci\ellul jason" --host=emts-facs.unix.petermac.org.au --service=ssh
--------------------
Access granted: True
--------------------
  Matched rules: ad_users
  Matched rules: FACS Computing
  Not matched rules: Computing Cluster

[root at vmpr-linuxidm ~]# ipa hbacrule-show
Rule name: ad_users           
  Rule name: ad_users
  Host category: all
  Service category: all
  Enabled: TRUE
  User Groups: ad_users

[root at vmpr-linuxidm ~]# ipa hbacrule-show
Rule name: FACS Computing
  Rule name: FACS Computing
  Service category: all
  Description: This server is running Flow Logic. Current server name is emts-facs.unix.petermac.org.au
  Enabled: TRUE
  User Groups: facs-compute
  Hosts: emts-facs.unix.petermac.org.au


On the host (emts-facs.unix.petermac.org.au) it shows the user is in the correct groups: 10011(facs-compute) and 1718800004(ad_users) which are both posix groups local to freeIPA

[root at emts-facs ~]# id "pmci\ellul jason"
uid=1501(jellul at petermac.org.au) gid=1501(jellul) groups=1501(jellul),1750642900(secure file transfer users at petermac.org.au),10011(facs-compute),10004(bioinf-core),10005(rcf-staff),1718800004(ad_users) (NB: group list truncated for brevity)

Cheers
L.
This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.

More information about the Freeipa-users mailing list