[Freeipa-users] HBAC rules stop working

[Orion Poplawski]

server:
ipa-server-4.2.0-15.sl7_2.19.x86_64
sssd-1.13.0-40.el7_2.12.x86_64

client:
sssd-1.14.1-3.el7.centos.x86_64

AD trust - users are in AD.  HBAC rule in place for client to allow a 
user to login/ssh/su/etc.

This seems to have happened a couple times now, and again today after 
rebooting the IPA server.  sssd was denying the user to ssh into the 
client by pam rules.  Logged on to the IPA server and disabled and then 
re-enabled the HBAC rule for the client and then was able to log back in 
again.  Has anyone else seen this before?

client sssd_pam just went from:

(Thu Sep 29 19:30:40 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply 
called with result [6]: Permission denied.

to

(Thu Sep 29 19:37:04 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply 
called with result [0]: Success.

so I assume I'll need to collect debug logs from sssd on the server next 
time.

-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA/CoRA Division                    FAX: 303-415-9702
3380 Mitchell Lane                  orion at cora.nwra.com
Boulder, CO 80301              http://www.cora.nwra.com