[Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1
Jakub Hrozek
jhrozek at redhat.com
Thu Mar 16 08:05:58 UTC 2017
On Thu, Mar 16, 2017 at 11:36:57AM +1100, Lachlan Musicman wrote:
> I'm experiencing issues with HBAC and I think it's a bug in sssd. Not sure
> if better to report to here or sssd mailing list. Also sssd in pagure is
> bare and I didn't want to sully the blank slate. (
> https://pagure.io/sssd/issues )
>
> The details:
>
> env: CentOS 7.3, FreeIPA 4.4, sssd 1.15.1 from COPR
>
> On the IPA server:
>
> - "ipa hbactest ..." returns TRUE, so everything seems set up correctly.
>
>
> When I try to login to the test client, I get denied.
>
> On the test client:
>
> - hbac_eval_user_element is returning a wrong value. This is seen in
> sssd_domain.log, it's returning 25. My test user is in 37 groups. This is
> seen on the IPA server via id username. On the test client id username
> returns 36 groups, the one missing is an IPA (not AD) group that was made
> for HBAC rules. I have sanitized logs available.
>
> - taking ldbsearch -H /var/lib/sss/db/cache_domain.com.ldb
> '(objectclass=user)' and finding the record in question shows the same 36
> groups available. The missing group shouldn't affect ability to login via
> HBAC
>
> - getent group (groupname) works as expected. Also worth noting that the
> group missing from id username shows that user in getent.
>
> For reference, on the client the sssd service was stopped, the cache
> deleted, and the service started again the night before after which the
> server wasn't accessed by anyone. I find that this is necessary for the
> cache to populate.
>
> Should I put in a bug report against SSSD or FreeIPA?
>
> While HBAC is in FreeIPA, I think that this is an issue in SSSD
> (specifically ?
Yes, SSSD.
I remember you had some intermittent issues in the past, is this one
reproducable?
More information about the Freeipa-users
mailing list