> I'm setting up a server + replica and I've migrated data from an old IPA > server > using ipa migrate-ds. > I experience problems with SSH into my IPA servers, even though I have HBAC > rules to allow > this: > > > $ssh test_alice(a)ipa-test.example.com -i test_alice > Connection closed by 192.168.10.24 port 22 > > $ssh test_alice(a)ipa-test.example.com > (test_alice(a)ipa-test.example.com) Password: > > [usr@ipa-test ~]$ ipa hbactest --user=test_alice --host=ipa-test.example.com > --service=ssh > -------------------- > Access granted: True > -------------------- > Matched rules: allow_alice > > > [usr@ipa-test ~]$ ipa hbacrule-find test_alice --all > ------------------- > 1 HBAC rule matched > ------------------- > dn: > ipaUniqueID=20f8f500-73d8-11ee-ac02-020017010d22,cn=hbac,dc=example,dc=com > Rule name: allow_alice > Host category: all > Service category: all > Enabled: True > Users: test_alice > accessruletype: allow > > > [usr@ipa-test ~]$ ipa user-find test_alice --all > -------------- > 1 user matched > -------------- > dn: uid=test_alice,cn=users,cn=accounts,dc=example,dc=com > User login: test_alice > First name: Alice > Last name: Test > Full name: Alice Test > Display name: Alice Test > Initials: AT > Home directory: /home/test_alice > GECOS: Alice Test > Login shell: /bin/sh > Principal name: test_alice(a)EXAMPLE.COM > Principal alias: test_alice(a)EXAMPLE.COM > Email address: test_alice(a)example.com > UID: 5002 > GID: 5002 > SSH public key: ssh-rsa > AAAAB3N........... > test_alice > > > > Previsouly using FreeIPA I have been able to find "denying access" in log > files > because of not matching HBAC rules. Now I can't find any trace of this, even > with > debug_level = 10 in /etc/sssd/sssd.conf (domain, ssh, pam, sssd section).
Turns I have Anonymous Permissions that messes up this. Removing the following permissions I can successfully SSH using test_alice $ ipa permission-find Anonymous Permission name: Anonymous Group Granted rights: read, search Effective attributes: member, memberof Bind rule type: anonymous Subtree: dc=example,dc=com Permission flags: SYSTEM, V2 Permission name: Anonymous User Granted rights: read, search Effective attributes: memberof Bind rule type: anonymous Subtree: dc=example,dc=com Permission flags: SYSTEM, V2 I have a third one, but that isn't causing issues: Permission name: Anonymous PubKey Granted rights: read Effective attributes: ipasshpubkey Bind rule type: anonymous Subtree: dc=example,dc=com Permission flags: SYSTEM, V2 _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
