[Freeipa-users] sssd 1.14.1, HBAC still not working?

Tue Oct 11 04:28:55 UTC 2016

After further testing, I've discovered that the dev system wasn't working
as well as I thought it was: HBAC and sshd don't seem to be playing well
together on one server, but fine on the other?

ie, I can run the same commands from both ipa-server and ipa-client:

ipa hbactest  --user=user1 --host=ipa-server.unixdev.petermac.org.au
--service=sshd
ipa hbactest  --user=user1 --host=ipa-client.unixdev.petermac.org.au
--service=sshd

and every response is:

to the ipa-client
--------------------
Access granted: True
--------------------
  Matched rules: Admin Users (w sudo)
  Matched rules: Users

to the ipa-server
--------------------
Access granted: True
--------------------
  Matched rules: Cluster Admin Users (sudo)
  Not matched rules: Cluster Users

but when I try to login to the ipa-server, I get an instance disconnect? I
can login happily to the ipa-client no problems.

Is there a special rule about sshd and the ipa-server?

cheers
L.

------
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 11 October 2016 at 14:06, Lachlan Musicman <datakid at gmail.com> wrote:

> Hola,
>
> I've set up a test domain that's as much as possible the same as the prod
> domain, and successfully got a one way trust against the AD: cantos 7.2,
> ipa 4.2.0-15/api2.156, sssd (copr) 1.14.1-3
>
> On that test domain I believe I have HBAC working successfully.
>
> Once I could show that it was working successfully on the test domain we
> updated all the clients in the prod domain to sssd 1.14.1-3, updated the
> IPA server, ran ipa-server-upgrade and we disabled "allow all" in the HBAC.
>
> And it doesn't work? Two users could login, but none of the others could,
> and the sudo rules weren't applied in so much as the one user that could
> login but shouldn't have had sudo, did.
>
> I tried stopping sssd/clearing cache/start sssd/waiting; and stopping
> sssd/deleting /var/lib/sss/db/* /start sssd/waiting.
>
> Neither of those worked, so I enabled allow all again.
>
> Now I have a bunch of log files to look through, but no clear indication
> of what might have gone wrong from a quick read.
>
> I can see in the logs where one person is ok'd by HBAC for sshd and
> another two are denied - when they should have all been ok'd. And I can
> infer that the reasoning is that HBAC has declared person2 + person3 to not
> be in a group they most definitely are in from the error messages. But
> there is no indication of why sssd hasn't properly picked up that person2
> is in the correct group?
>
> I guess the question is, where do I start fixing this? Which logs should I
> be reading?
>
> What can I compare between the two set ups (dev and prod) that might give
> me insight, given that they are largely set up identically?
>
> Cheers
> L.
>
>
>
> ------
> The most dangerous phrase in the language is, "We've always done it this
> way."
>
> - Grace Hopper
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161011/e7f9c2da/attachment.htm>