Just to add some example of behaviour I described, I configured an AD user group membership and granted him access via HBAC rule. Waited approximately for 2 hours and then, all of a sudden, it magically works without me changing anything :). Below is the log excerpt from /var/log/secure which caught the moment when HBAC rule seemingly started working with no action on my side:
Jul 6 14:15:19 idm-client sshd[4069]: fatal: Access denied for user j...@my.test.domain.com by PAM account configuration [preauth] Jul 6 14:15:21 idm-client sshd[4073]: pam_sss(sshd:account): Access denied for user j...@my.test.domain.com: 6 (Permission denied) Jul 6 14:15:21 idm-client sshd[4073]: fatal: Access denied for user j...@my.test.domain.com by PAM account configuration [preauth] Jul 6 14:15:25 idm-client sshd[4077]: pam_sss(sshd:account): Access denied for user j...@my.test.domain.com: 6 (Permission denied) Jul 6 14:15:25 idm-client sshd[4077]: fatal: Access denied for user j...@my.test.domain.com by PAM account configuration [preauth] Jul 6 14:15:47 idm-client sshd[4082]: pam_sss(sshd:account): Access denied for user j...@my.test.domain.com: 6 (Permission denied) Jul 6 14:15:47 idm-client sshd[4082]: fatal: Access denied for user j...@my.test.domain.com by PAM account configuration [preauth] Jul 6 14:16:11 idm-client polkitd[9042]: Registered Authentication Agent for unix-process:4087:70613648 (system bus name :1.652 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Jul 6 14:16:11 idm-client polkitd[9042]: Unregistered Authentication Agent for unix-process:4087:70613648 (system bus name :1.652, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Jul 6 14:17:51 idm-client sshd[4104]: Accepted publickey for j...@my.test.domain.com from XXX.XXX.XXX.XXX port 58220 ssh2: RSA 63:32:b6:62:99:6c:4c:13:c6:ef:8b:16:6d:05:54:8e Jul 6 14:17:51 idm-client sshd[4104]: pam_unix(sshd:session): session opened for user j...@my.test.domain.com by (uid=0) Jul 6 14:17:54 idm-client sshd[4109]: Received disconnect from XXX.XXX.XXX.XXX: 11: disconnected by user Jul 6 14:17:54 idm-client sshd[4104]: pam_unix(sshd:session): session closed for user j...@my.test.domain.com _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org