On Tue, 2011-09-06 at 20:58 +0200, Sigbjorn Lie wrote: > On 09/06/2011 08:37 PM, Stephen Gallagher wrote: > > On Tue, 2011-09-06 at 20:04 +0200, Sigbjorn Lie wrote: > >> Hi, > >> > >> I attempt a login with a user account that's being denied access to the > >> host via HBAC, I receive the following generic error message. > >> > >> Sep 6 20:02:03 ipa01 sshd: pam_sss(sshd:account): Access denied > >> for user username: 4 (System error) > >> > >> > >> Would it be an idea to change this to advise that the user login was > >> denied due to HBAC rules? I see this is a bit confusing. > > > > "System error" means that something went wrong with processing. It > > defaults to DENY (to be safe), but it's actually an error. > > > > What version of SSSD are you running on the client? We fixed a fair > > number of HBAC bugs in the 1.5.13 release (which is currently in the > > updates-testing repos for F14, F15 and F16). > > sssd-1.5.12-1.fc15.x86_64 > sssd-client-1.5.12-1.fc15.x86_64 > > I see there's some problems. :) > > I cannot log in if no exactly the user is mentioned and exactly the host > mentioned in the rule. If I attempt to use user groups and host groups > in a hbac rule, I receive the error above. Was there a related bug fixed > in 1.5.13?
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.13 Yes, there were three HBAC bugs fixed. User groups and host groups now work properly. (The other bug was related to groups with no mumbers). Please try sssd-1.5.13-1.fc15.2 from updates-testing (actually, it looks like it hasn't hit the mirrors yet, so wait a day or so).
Description: This is a digitally signed message part
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users