On Fri, Aug 02, 2013 at 12:55:12PM -0500, KodaK wrote: > First, before we go any further: is it supported to use > sssd when the client machines domain differs from > the realm name? If not, then the rest of this is moot. > > Client box is a RHEL 5.something. I didn't do "ipa-client-install" > because I wanted to configure by hand as a test. The client > box has a DNS name of stlmoracsbx01.domain.com, and the > realm is UNIX.DOMAIN.COM > > I've configured the box with sssd, and I can log in with my personal > credentials because I have a wide-open rule for admins. > > I've created a simple rule for a test user, and it's not working. > > [xxx@slpidml01 ~]$ ipa hbacrule-show stlmoracsbx01-access > Rule name: stlmoracsbx01-access > Source host category: all > Service category: all > Enabled: TRUE > Users: testuser > Hosts: stlmoracsbx01.domain.com > > However: > > [xxx@slpidml01 ~]$ ipa hbactest --user=testuser > --host=stlmoracsbx01.domain.com --service=sshd > --------------------- > Access granted: False > --------------------- > > And my access: > > [xxx@slpidml01 ~]$ ipa hbactest --user=xxx > --host=stlmoracsbx01.domain.com --service=sshd > -------------------- > Access granted: True > -------------------- > Matched rules: admin access > > I also tried opening that host up to everyone: > > [jebalicki@slpidml01 ~]$ ipa hbacrule-show stlmoracsbx01-access > > Rule name: stlmoracsbx01-access > User category: all > Source host category: all > Service category: all > Enabled: TRUE > Hosts: stlmoracsbx01.domain.com > > But the rule fails. > > I thought maybe there might be something with the user "testuser", so > I tried another > user and I still get a failure. > > Any ideas would be appreciated.
First I think this is not a general issue. I did a quick test which worked as expected: [root@ipa18-devel ~]# ipa hbacrule-show abc-test Rule name: abc-test User category: all Service category: all Enabled: TRUE Hosts: abc.def [root@ipa18-devel ~]# ipa hbactest --user=qgwe --host=abc.def --service=wced -------------------- Access granted: True -------------------- Matched rules: abc-test [root@ipa18-devel ~]# ipa hbactest --user=qgwe --host=abc.defx --service=wced --------------------- Access granted: False --------------------- Not matched rules: abc-test Which version of FreeIPA are you using on the server? Maybe the sssd logs at a high debug level will give more details why the access is denied you you try to log in with ssh as testuser on stlmoracsbx01.domain.com. bye, Sumit > > -- > The government is going to read our mail anyway, might as well make it > tough for them. GPG Public key ID: B6A1A7C6 > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
