Shawn wrote:
[root@freeipa ~]# ipa hbactest --user=myuser --host=my.fqdn. --service=sshd
--------------------
Access granted: True
--------------------
Matched rules: allow_all
[root@freeipa ~]#
└─> ssh myus...@ec2-54-xxx.xxx.compute-1.amazonaws.com
<mailto:myus...@ec2-54-xxx.xxx.compute-1.amazonaws.com> -i
/home/user/.ssh/key
Connection closed by 54x.x.x.x
(client server logs)
Apr 10 13:59:04 ip-10-152-174-17 sshd[22868]: pam_sss(sshd:account):
Access denied for user myuser: 4 (System error)
Apr 10 13:59:04 ip-10-152-174-17 sshd[22872]: fatal: Access denied for
user client by PAM account configuration
(client ipa versions)
ipa-admintools-3.0.0-26.el6_4.2.x86_64
ipa-client-3.0.0-26.el6_4.2.x86_64
ipa-python-3.0.0-26.el6_4.2.x86_64
(master ipa versions)
[root@freeipa ~]# rpm -qa |grep ipa-
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-client-3.0.0-26.el6_4.2.x86_64
ipa-python-3.0.0-26.el6_4.2.x86_64
ipa-admintools-3.0.0-26.el6_4.2.x86_64
ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
ipa-server-3.0.0-26.el6_4.2.x86_64
[root@freeipa ~]#
An error is occurring somewhere which is why access is denied. This
isn't HBAC, that looks like:
pam_sss(sshd:account): Access denied for user admin: 6 (Permission denied)
You need to crank up debugging in sssd and see what its logs say.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
