On Sun, Dec 11, 2011 at 11:49:46PM +0100, Sigbjorn Lie wrote:
> On the other hand, even though looking up users, groups and
> netgroups seem fine, I cannot log in. Neither at the console, su, or
> ssh. Was there an issue with HBAC rules in SSSD 1.5.13 ?
> 
> Dec 11 21:13:32 mint12 su[6769]: pam_sss(su:account): Access denied
> for user test: 6 (Permission denied)
> 
> 
> 
> Rgds,
> Siggi
> 

Yes, there was a number of HBAC-related fixes since 1.5.13. The
following commits touched files in src/providers/ipa/ipa_hbac*.[ch]:

* Add a missing break (9077c3ebec92454d8ed949491c4ca89ed6cdf75a)
* Do not access memory out of bounds
  (a2a954c4186aaa9e9dd027aebb986062fc5670e7)
* HBAC: fix typos preventing proper hostgroup evaluation
  (28a9f96c3f9e6aa30fb1cbbbb33fe2ee2b1d7ef6)
* HBAC: Do not save member/memberOf links
  (d14a28835223c0578b0a28a8c74d11777c50bcb9)
* HBAC: Use originalMember for identifying servicegroups
  (d74b59b13208fa9508baaf5a1a5172fecad321ae)
* HBAC: Use originalMember for identifying hostgroups
  (7c77e790204f82bce88dd6ecd237c941a9389349)

Obviously, the Ubuntu package might have backported some of these into
their 1.5.13 distribution package. The list was taken from upstream 1.5
branch.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to