[Freeipa-users] HBAC rules stop working
Jakub Hrozek
jhrozek at redhat.com
Fri Sep 30 06:56:48 UTC 2016
On Thu, Sep 29, 2016 at 07:51:14PM -0600, Orion Poplawski wrote:
> server:
> ipa-server-4.2.0-15.sl7_2.19.x86_64
> sssd-1.13.0-40.el7_2.12.x86_64
>
> client:
> sssd-1.14.1-3.el7.centos.x86_64
>
> AD trust - users are in AD. HBAC rule in place for client to allow a user
> to login/ssh/su/etc.
>
> This seems to have happened a couple times now, and again today after
> rebooting the IPA server. sssd was denying the user to ssh into the client
> by pam rules. Logged on to the IPA server and disabled and then re-enabled
> the HBAC rule for the client and then was able to log back in again. Has
> anyone else seen this before?
>
> client sssd_pam just went from:
>
> (Thu Sep 29 19:30:40 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply
> called with result [6]: Permission denied.
>
> to
>
> (Thu Sep 29 19:37:04 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply
> called with result [0]: Success.
>
> so I assume I'll need to collect debug logs from sssd on the server next
> time.
Yes..please try to collect logs from a machine that exhibits the bug. I
suspect this is not related to HBAC per se, but rather to external group
memberships, so it would also be nice to check if the groups are
resolved on the faulty machine. And if they wouldn't be, please also
check if they are resolved on the server itself (and collect logs
there..)
More information about the Freeipa-users
mailing list