Joined new ipa-client RHEL 7.8 IPA VERSION: 4.6.6 Have many ipa joined hosts on same vers, using same sssd.conf/krb5.conf configs and member of same HBAC group associated with same HBAC rule with no issues; only this one host Same issue for both IPA & AD users for this host id & getent will pull IPA & AD users group memberships without issue from said host Kinit works for IPA & AD users without issue from said host Testing with `ipa hbactest` outputs desired results for sshd & login services for this host
SSH is a no go for both IPA & AD users, with the below logged each time an SSH attempt is made. [sssd[be[ipa.domain.com]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [[email protected]] [sssd[be[ipa.domain.com]]] [sdap_account_expired_rhds] (0x4000): Account for user [[email protected]] is not locked. [sssd[be[ipa.domain.com]]] [sdap_account_expired] (0x0400): IPA access control succeeded, checking AD access control [sssd[be[ipa.domain.com]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [[email protected]] [sssd[be[ipa.domain.com]]] [sdap_account_expired_ad] (0x4000): User account control for user [[email protected]] is [200]. [sssd[be[ipa.domain.com]]] [sdap_account_expired_ad] (0x4000): Expiration time for user [[email protected]] is [9223372036854775807]. [sssd[be[ipa.domain.com]]] [ipa_fetch_hbac_send] (0x4000): Connection status is [online]. [sssd[be[ipa.domain.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection [sssd[be[ipa.domain.com]]] [sdap_print_server] (0x2000): Searching <freeipa-master-ip-address>:389 [sssd[be[ipa.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=freeipa-client.ipa.domain.com))][cn=accounts,dc=ipa,dc=domain,dc=com]. [sssd[be[ipa.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] [sssd[be[ipa.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] [sssd[be[ipa.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] [sssd[be[ipa.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] [sssd[be[ipa.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] [sssd[be[ipa.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] [sssd[be[ipa.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] [sssd[be[ipa.domain.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 [sssd[be[ipa.domain.com]]] [sdap_op_add] (0x2000): New operation 14 timeout 60 [sssd[be[ipa.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55fcd97b0b90], connected[1], ops[0x55fcd979c7e0], ldap[0x55fcd9781e30] [sssd[be[ipa.domain.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] [sssd[be[ipa.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set [sssd[be[ipa.domain.com]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] [sssd[be[ipa.domain.com]]] [sdap_op_destructor] (0x2000): Operation 14 finished [sssd[be[ipa.domain.com]]] [sdap_id_op_done] (0x4000): releasing operation connection [sssd[be[ipa.domain.com]]] [ipa_pam_access_handler_done] (0x0020): No HBAC rules find, denying access [sssd[be[ipa.domain.com]]] [dp_req_done] (0x0400): DP Request [PAM Account #11]: Request handler finished [0]: Success [sssd[be[ipa.domain.com]]] [_dp_req_recv] (0x0400): DP Request [PAM Account #11]: Receiving request data. [sssd[be[ipa.domain.com]]] [dp_req_destructor] (0x0400): DP Request [PAM Account #11]: Request removed. [sssd[be[ipa.domain.com]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 [sssd[be[ipa.domain.com]]] [dp_pam_reply] (0x1000): DP Request [PAM Account #11]: Sending result [6][example.com] [sssd[be[ipa.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55fcd97b0b90], connected[1], ops[(nil)], ldap[0x55fcd9781e30] [sssd[be[ipa.domain.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list sshd[2750]: pam_sss(sshd:account): Access denied for user [email protected]: 6 (Permission denied) $ ipa hbactest User name: [email protected] Target host: freeipa-client.ipa.domain.com Service: sshd -------------------- Access granted: True -------------------- Matched rules: allow_admin_all Any help is much appreciated...stuck _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
