On Thu, Aug 13, 2020 at 06:49:19PM -0000, David McDaniel via FreeIPA-users
wrote:
> Joined new ipa-client
> RHEL 7.8
> IPA VERSION: 4.6.6
>
> Have many ipa joined hosts on same vers, using same sssd.conf/krb5.conf
> configs and member of same HBAC group associated with same HBAC rule with no
> issues; only this one host
> Same issue for both IPA & AD users for this host
> id & getent will pull IPA & AD users group memberships without issue from
> said host
> Kinit works for IPA & AD users without issue from said host
> Testing with `ipa hbactest` outputs desired results for sshd & login services
> for this host
>
> SSH is a no go for both IPA & AD users, with the below logged each time an
> SSH attempt is made.
>
> [sssd[be[ipa.domain.com]]] [sdap_account_expired_rhds] (0x0400): Performing
> RHDS access check for user [[email protected]]
> [sssd[be[ipa.domain.com]]] [sdap_account_expired_rhds] (0x4000): Account for
> user [[email protected]] is not locked.
> [sssd[be[ipa.domain.com]]] [sdap_account_expired] (0x0400): IPA access
> control succeeded, checking AD access control
> [sssd[be[ipa.domain.com]]] [sdap_account_expired_ad] (0x0400): Performing AD
> access check for user [[email protected]]
> [sssd[be[ipa.domain.com]]] [sdap_account_expired_ad] (0x4000): User account
> control for user [[email protected]] is [200].
> [sssd[be[ipa.domain.com]]] [sdap_account_expired_ad] (0x4000): Expiration
> time for user [[email protected]] is [9223372036854775807].
> [sssd[be[ipa.domain.com]]] [ipa_fetch_hbac_send] (0x4000): Connection status
> is [online].
> [sssd[be[ipa.domain.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached
> connection
> [sssd[be[ipa.domain.com]]] [sdap_print_server] (0x2000): Searching
> <freeipa-master-ip-address>:389
> [sssd[be[ipa.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling
> ldap_search_ext with
> [(&(objectClass=ipaHost)(fqdn=freeipa-client.ipa.domain.com))][cn=accounts,dc=ipa,dc=domain,dc=com].
Hi,
I would suggest to try this search manually from the client
kdestroy -A
kinit -k
ldapsearch -Y GSSAPI -H ldap://<freeipa-master-ip-address>:389 -b
'cn=accounts,dc=ipa,dc=domain,dc=com'
'(&(objectClass=ipaHost)(fqdn=freeipa-client.ipa.domain.com))'
if this does not return any result please try with a different fqdn of a
host where you know it is working. If this does not show a result either
this specific client might not have the permissions to read the host
information from LDAP.
You can run the same steps also on a host which is working with the fqdn
of the non-working host to see if other hosts can read this entry. If
Other host cannot read it as well try
kdestroy -A
kinit admin
ldapsearch -Y GSSAPI -H ldap://<freeipa-master-ip-address>:389 -b
'cn=accounts,dc=ipa,dc=domain,dc=com'
'(&(objectClass=ipaHost)(fqdn=freeipa-client.ipa.domain.com))'
if this does return a result than there are special permission on this
host object preventing the clients to read it.
bye,
Sumit
> [sssd[be[ipa.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> attrs: [objectClass]
> [sssd[be[ipa.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> attrs: [cn]
> [sssd[be[ipa.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> attrs: [fqdn]
> [sssd[be[ipa.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> attrs: [serverHostname]
> [sssd[be[ipa.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> attrs: [memberOf]
> [sssd[be[ipa.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> attrs: [ipaSshPubKey]
> [sssd[be[ipa.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> attrs: [ipaUniqueID]
> [sssd[be[ipa.domain.com]]] [sdap_get_generic_ext_step] (0x2000):
> ldap_search_ext called, msgid = 14
> [sssd[be[ipa.domain.com]]] [sdap_op_add] (0x2000): New operation 14 timeout 60
> [sssd[be[ipa.domain.com]]] [sdap_process_result] (0x2000): Trace:
> sh[0x55fcd97b0b90], connected[1], ops[0x55fcd979c7e0], ldap[0x55fcd9781e30]
> [sssd[be[ipa.domain.com]]] [sdap_process_message] (0x4000): Message type:
> [LDAP_RES_SEARCH_RESULT]
> [sssd[be[ipa.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search
> result: Success(0), no errmsg set
> [sssd[be[ipa.domain.com]]] [sdap_get_generic_op_finished] (0x2000): Total
> count [0]
> [sssd[be[ipa.domain.com]]] [sdap_op_destructor] (0x2000): Operation 14
> finished
> [sssd[be[ipa.domain.com]]] [sdap_id_op_done] (0x4000): releasing operation
> connection
> [sssd[be[ipa.domain.com]]] [ipa_pam_access_handler_done] (0x0020): No HBAC
> rules find, denying access
> [sssd[be[ipa.domain.com]]] [dp_req_done] (0x0400): DP Request [PAM Account
> #11]: Request handler finished [0]: Success
> [sssd[be[ipa.domain.com]]] [_dp_req_recv] (0x0400): DP Request [PAM Account
> #11]: Receiving request data.
> [sssd[be[ipa.domain.com]]] [dp_req_destructor] (0x0400): DP Request [PAM
> Account #11]: Request removed.
> [sssd[be[ipa.domain.com]]] [dp_req_destructor] (0x0400): Number of active DP
> request: 0
> [sssd[be[ipa.domain.com]]] [dp_pam_reply] (0x1000): DP Request [PAM Account
> #11]: Sending result [6][example.com]
> [sssd[be[ipa.domain.com]]] [sdap_process_result] (0x2000): Trace:
> sh[0x55fcd97b0b90], connected[1], ops[(nil)], ldap[0x55fcd9781e30]
> [sssd[be[ipa.domain.com]]] [sdap_process_result] (0x2000): Trace: end of
> ldap_result list
>
>
> sshd[2750]: pam_sss(sshd:account): Access denied for user
> [email protected]: 6 (Permission denied)
>
>
> $ ipa hbactest
> User name: [email protected]
> Target host: freeipa-client.ipa.domain.com
> Service: sshd
> --------------------
> Access granted: True
> --------------------
> Matched rules: allow_admin_all
>
>
> Any help is much appreciated...stuck
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
