[Freeipa-users] freeipa hostbased auth "connection closed"
Sullivan, Daniel [CRI]
dsullivan2 at bsd.uchicago.edu
Sun Feb 5 14:21:02 UTC 2017
Did you check /var/log/messages and /var/log/secure? I think I’ve seen problems with hosts.allow/hosts.deny dump output in there.
Dan
On Feb 5, 2017, at 8:17 AM, Rakesh Rajasekharan <rakesh.rajasekharan at gmail.com<mailto:rakesh.rajasekharan at gmail.com>> wrote:
Hi,
I am running a freeipa server version 4.4.0 and have setup hbac rules which work fine
However, just on one single host , I am seeing this issue wherein it is not allowing me ssh access.
When I check my hbac permissions.. it say access granted but on trying to login.. it blocks me
On the Freeipa server
ipa hbactest --user=p-testhbac --host=>my-test-host> --service=sshd
--------------------
Access granted: True
--------------------
Matched rules: ipa-alluser-access
Not matched rules: ipa-alluser-sudo-access
On the client I get this message while doing an ssh "Connection closed by 10.0.30.28".
In /var/log/secure I see these messages
Feb 5 13:57:41 10 sshd[26692]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.4.6 user=p-testhbac
Feb 5 13:57:41 10 sshd[26692]: pam_sss(sshd:account): Access denied for user p-testhbac: 4 (System error)
Feb 5 13:57:41 10 sshd[26692]: Failed password for p-testhbac from 10.0.4.6 port 40540 ssh2
Feb 5 13:57:41 10 sshd[26692]: fatal: Access denied for user p-testhbac by PAM account configuration [preauth]
/var/log/sssd/sssd_domain.log I see this error at the end,
(Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [dp_req_destructor] (0x0400): DP Request [PAM SELinux #13]: Request removed.
(Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [dp_req_destructor] (0x0400): Number of active DP request: 0
(Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [dp_pam_reply] (0x1000): DP Request [PAM Account #12]: Sending result [4][mydomain.com<http://mydomain.com/>]
(Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [child_sig_handler] (0x1000): Waiting for child [26795].
(Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [child_sig_handler] (0x0020): child [26795] failed with status [1].
But few lines above.. I see that I was allowed in by the hbac rule.
(Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [hbac_evaluate] (0x0100): ALLOWED by rule [ipa-alluser-access].
(Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [hbac_evaluate] (0x0100): hbac_evaluate() >]
(Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [ipa-alluser-access]
(Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [dp_req_done] (0x0400): DP Request [PAM Account #12]: Request handler finished [0]: Success
(Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [_dp_req_recv] (0x0400): DP Request [PAM Account #12]: Receiving request data.
(Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [dp_req_destructor] (0x0400): DP Request [PAM Account #12]: Request removed.I was allowed in per the HBAC rule
Not sure whats blocking me..
Thanks
Rakesh
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list