On 09/06/2011 08:37 PM, Stephen Gallagher wrote:
On Tue, 2011-09-06 at 20:04 +0200, Sigbjorn Lie wrote:
I attempt a login with a user account that's being denied access to the
host via HBAC, I receive the following generic error message.
Sep 6 20:02:03 ipa01 sshd: pam_sss(sshd:account): Access denied
for user username: 4 (System error)
Would it be an idea to change this to advise that the user login was
denied due to HBAC rules? I see this is a bit confusing.
"System error" means that something went wrong with processing. It
defaults to DENY (to be safe), but it's actually an error.
What version of SSSD are you running on the client? We fixed a fair
number of HBAC bugs in the 1.5.13 release (which is currently in the
updates-testing repos for F14, F15 and F16).
I see there's some problems. :)
I cannot log in if no exactly the user is mentioned and exactly the host
mentioned in the rule. If I attempt to use user groups and host groups
in a hbac rule, I receive the error above. Was there a related bug fixed
Freeipa-users mailing list