On 09/06/2011 09:08 PM, Stephen Gallagher wrote:
On Tue, 2011-09-06 at 20:58 +0200, Sigbjorn Lie wrote:
On 09/06/2011 08:37 PM, Stephen Gallagher wrote:
On Tue, 2011-09-06 at 20:04 +0200, Sigbjorn Lie wrote:

I attempt a login with a user account that's being denied access to the
host via HBAC, I receive the following generic error message.

Sep  6 20:02:03 ipa01 sshd[11592]: pam_sss(sshd:account): Access denied
for user username: 4 (System error)

Would it be an idea to change this to advise that the user login was
denied due to HBAC rules? I see this is a bit confusing.
"System error" means that something went wrong with processing. It
defaults to DENY (to be safe), but it's actually an error.

What version of SSSD are you running on the client? We fixed a fair
number of HBAC bugs in the 1.5.13 release (which is currently in the
updates-testing repos for F14, F15 and F16).

I see there's some problems. :)

I cannot log in if no exactly the user is mentioned and exactly the host
mentioned in the rule. If I attempt to use user groups and host groups
in a hbac rule, I receive the error above. Was there a related bug fixed
in 1.5.13?

Yes, there were three HBAC bugs fixed. User groups and host groups now
work properly. (The other bug was related to groups with no mumbers).

Please try sssd-1.5.13-1.fc15.2 from updates-testing (actually, it looks
like it hasn't hit the mirrors yet, so wait a day or so).

Ok, thank you. :)


Freeipa-users mailing list

Reply via email to