On Thu, Jul 06, 2017 at 02:29:34PM -0000, bogusmaster--- via FreeIPA-users 
wrote:
> Just to add some example of behaviour I described, I configured an AD user 
> group membership and granted him access via HBAC rule. Waited approximately 
> for 2 hours and then, all of a sudden, it magically works without me changing 
> anything :). Below is the log excerpt from /var/log/secure which caught the 
> moment when HBAC rule seemingly started working with no action on my side:


The ipa-client gets all its data from the IPA server and for efficiency
the lookup on the server goes via the SSSD cache on the server.

While on the client during authentication the user data is refreshed
unconditionally the old data might still be on the cache on the server.
I would expect that when you call 'sss_cache -E' on the IPA server after
changing the group memberships the client should see the new groups during
authentication and access should be granted.

HTH

bye,
Sumit

> 
> Jul  6 14:15:19 idm-client sshd[4069]: fatal: Access denied for user 
> j...@my.test.domain.com by PAM account configuration [preauth]
> Jul  6 14:15:21 idm-client sshd[4073]: pam_sss(sshd:account): Access denied 
> for user j...@my.test.domain.com: 6 (Permission denied)
> Jul  6 14:15:21 idm-client sshd[4073]: fatal: Access denied for user 
> j...@my.test.domain.com by PAM account configuration [preauth]
> Jul  6 14:15:25 idm-client sshd[4077]: pam_sss(sshd:account): Access denied 
> for user j...@my.test.domain.com: 6 (Permission denied)
> Jul  6 14:15:25 idm-client sshd[4077]: fatal: Access denied for user 
> j...@my.test.domain.com by PAM account configuration [preauth]
> Jul  6 14:15:47 idm-client sshd[4082]: pam_sss(sshd:account): Access denied 
> for user j...@my.test.domain.com: 6 (Permission denied)
> Jul  6 14:15:47 idm-client sshd[4082]: fatal: Access denied for user 
> j...@my.test.domain.com by PAM account configuration [preauth]
> Jul  6 14:16:11 idm-client polkitd[9042]: Registered Authentication Agent for 
> unix-process:4087:70613648 (system bus name :1.652 [/usr/bin/pkttyagent 
> --notify-fd 5 --fallback], object path 
> /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
> Jul  6 14:16:11 idm-client polkitd[9042]: Unregistered Authentication Agent 
> for unix-process:4087:70613648 (system bus name :1.652, object path 
> /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) 
> (disconnected from bus)
> Jul  6 14:17:51 idm-client sshd[4104]: Accepted publickey for 
> j...@my.test.domain.com from XXX.XXX.XXX.XXX port 58220 ssh2: RSA 
> 63:32:b6:62:99:6c:4c:13:c6:ef:8b:16:6d:05:54:8e
> Jul  6 14:17:51 idm-client sshd[4104]: pam_unix(sshd:session): session opened 
> for user j...@my.test.domain.com by (uid=0)
> Jul  6 14:17:54 idm-client sshd[4109]: Received disconnect from 
> XXX.XXX.XXX.XXX: 11: disconnected by user
> Jul  6 14:17:54 idm-client sshd[4104]: pam_unix(sshd:session): session closed 
> for user j...@my.test.domain.com
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to