Am Thu, May 04, 2023 at 06:49:06AM -0000 schrieb Finn Fysj via FreeIPA-users: > I've tried to install and re-install the IPAserver on my node. Even tried to > re-provision it. When I look in the SSSD log for my domain I get the > following: > > * (2023-05-04 6:30:59): [be[lab.local]] [sdap_get_generic_ext_step] > (0x2000): [RID#16] ldap_search_ext called, msgid = 48 > * (2023-05-04 6:30:59): [be[lab.local]] [sdap_op_add] (0x2000): [RID#16] > New operation 48 timeout 60 > * (2023-05-04 6:30:59): [be[lab.local]] [sdap_process_result] (0x2000): > Trace: sh[0x560c8dff6e30], connected[1], ops[0x560c8e064050], > ldap[0x560c8e0abcc0] > * (2023-05-04 6:30:59): [be[lab.local]] [sdap_process_result] (0x2000): > Trace: end of ldap_result list > * (2023-05-04 6:30:59): [be[lab.local]] [sdap_process_result] (0x2000): > Trace: sh[0x560c8dff6e30], connected[1], ops[0x560c8e064050], > ldap[0x560c8e0abcc0] > * (2023-05-04 6:30:59): [be[lab.local]] [sdap_process_message] (0x4000): > [RID#16] Message type: [LDAP_RES_SEARCH_RESULT] > * (2023-05-04 6:30:59): [be[lab.local]] [sdap_get_generic_op_finished] > (0x0400): [RID#16] Search result: Success(0), no errmsg set > * (2023-05-04 6:30:59): [be[lab.local]] [sdap_get_generic_op_finished] > (0x2000): [RID#16] Total count [0] > * (2023-05-04 6:30:59): [be[lab.local]] [sdap_op_destructor] (0x2000): > [RID#16] Operation 48 finished > * (2023-05-04 6:30:59): [be[lab.local]] [ipa_hbac_rule_info_done] > (0x0400): [RID#16] No rules apply to this host > * (2023-05-04 6:30:59): [be[lab.local]] [sdap_id_op_done] (0x4000): > [RID#16] releasing operation connection > * (2023-05-04 6:30:59): [be[lab.local]] [ipa_pam_access_handler_done] > (0x0020): [RID#16] No HBAC rules found, denying access > ********************** BACKTRACE DUMP ENDS HERE > *********************************
Hi, the above is part of the access control when a user is trying to log in. As the messages says there are no HBAC rules defined and hence access is denied. By default there are: # ipa hbacrule-find -------------------- 2 HBAC rules matched -------------------- Rule name: allow_all User category: all Host category: all Service category: all Description: Allow all users to access any host from any host Enabled: True Rule name: allow_systemd-user User category: all Host category: all Description: Allow pam_systemd to run [email protected] to create a system user session Enabled: True ---------------------------- Number of entries returned 2 ---------------------------- defined. So it is expected that there are always some rules defined. Please check your HBAC rules. HTH bye, Sumit > > (2023-05-04 6:39:00): [be[lab.local]] [orderly_shutdown] (0x3f7c0): SIGTERM: > killing children > (2023-05-04 6:39:00): [be[lab.local]] [orderly_shutdown] (0x3f7c0): Shutting > down (status = 0)(2023-05-04 6:39:00): [be[lab.local]] [server_setup] > (0x3f7c0): Starting with debug level = 0x0070 > (2023-05-04 6:41:04): [be[lab.local]] [orderly_shutdown] (0x3f7c0): SIGTERM: > killing children > (2023-05-04 6:41:04): [be[lab.local]] [orderly_shutdown] (0x3f7c0): Shutting > down (status = 0)(2023-05-04 6:41:04): [be[lab.local]] [server_setup] > (0x3f7c0): Starting with debug level = 0x0070 > (2023-05-04 6:43:33): [be[lab.local]] [orderly_shutdown] (0x3f7c0): SIGTERM: > killing children > (2023-05-04 6:43:33): [be[lab.local]] [orderly_shutdown] (0x3f7c0): Shutting > down (status = 0)(2023-05-04 6:43:33): [be[lab.local]] [server_setup] > (0x3f7c0): Starting with debug level = 0x0070 > > I tried to turn the debug_level = 8 and 9, without any good results. The look > doesn't change when I try to login or run any "privileged" commands. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
