[Freeipa-users] sssd 1.14.1, HBAC still not working?

Tue Oct 11 08:03:33 UTC 2016

On Tue, Oct 11, 2016 at 03:28:55PM +1100, Lachlan Musicman wrote:
> After further testing, I've discovered that the dev system wasn't working
> as well as I thought it was: HBAC and sshd don't seem to be playing well
> together on one server, but fine on the other?
> 
> ie, I can run the same commands from both ipa-server and ipa-client:
> 
> ipa hbactest  --user=user1 --host=ipa-server.unixdev.petermac.org.au
> --service=sshd
> ipa hbactest  --user=user1 --host=ipa-client.unixdev.petermac.org.au
> --service=sshd
> 
> 
> and every response is:
> 
> to the ipa-client
> --------------------
> Access granted: True
> --------------------
>   Matched rules: Admin Users (w sudo)
>   Matched rules: Users
> 
> to the ipa-server
> --------------------
> Access granted: True
> --------------------
>   Matched rules: Cluster Admin Users (sudo)
>   Not matched rules: Cluster Users
> 
> 
> but when I try to login to the ipa-server, I get an instance disconnect? I
> can login happily to the ipa-client no problems.
> 
> Is there a special rule about sshd and the ipa-server?

No, there shouldn't be. Can you generate sssd logs on the instance that
is acting up and send them to me? It's best to run date and expire the
cache before the test as well:
    sss_cache -E; date; ssh user at host; date
so that we can cross-check the logs knowing the time of the test. If you
don't mind I'd like to share the logs with other SSSD developers because
I think I already tried to look into this issue and couldn't find the root
cause in the past, so maybe others will spot something..