I have an AD trust with FreeIPA 4.0.1 and defined a HBAC rule for a
specific user group (=ad_users which is an posix group that has an
external group as member) to login on a specific client

The problem is: once i disable the rule and the AD user is not allowed
to login anymore, the user on the client gets another uid and gid via

I use the posix attributes from AD, which will get received by sssd perfectly.
The client is running on CentOS 6.5 and uses sssd
AD domain = aaa.intern
IPA domain = linux.intern
AD-User: user1   (uid=1005,gid=10005)

Here an example:
1.) disable the hbac rule and the default allow_all rule:
2.) check the uid/gid on the client (=linux1.linux.intern) and it looks fine:

[root@linux1 sssd]# getent passwd user1@aaa

3.) Login with ssh to client as user1. It will be denied upon correct
password input and ssh sessions closes. Up until now everything as
expected. But now:

4.) check for the uid/gid on the client - something totally different.
It now also receives the Firstname and Lastname from AD, latter is

[root@linux1 sssd]# getent passwd user1@aaa

5.) Enable the hbac rule and login works, but the unexpected uid/gid
stays the same:

login as: user1@aaa
user1@aaa@'s password:
login as: user1@aaa
user1@aaa@'s password:
Last failed login: Sun Sep  7 23:19:49 CEST 2014 from on ssh:notty
There were 2 failed login attempts since the last successful login.
Creating home directory for user1@aaa.
Last login: Sun Sep  7 23:21:02 2014 from
[user1@aaa.intern@linux1 ~]$ id
uid=11601(user1@aaa.intern) gid=11601(user1@aaa.intern)
[user1@aaa.intern@linux1 ~]$

Anyone have a clue what might be the problem?

Here's the sssd.conf:
[root@linux1 sssd]# cat /etc/sssd/sssd.conf
cache_credentials = False
krb5_store_password_if_offline = False
ipa_domain = linux.intern
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = linux1.linux.intern
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa1.linux.intern
ldap_tls_cacert = /etc/ipa/ca.crt
use_fully_qualified_domains = True
# For the SUDO integration
sudo_provider = ldap
ldap_uri = ldap://ipa1.linux.intern
ldap_sudo_search_base = ou=sudoers,dc=linux,dc=intern
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/linux1.linux.intern
ldap_sasl_realm = LINUX.INTERN
krb5_server = ipa1.linux.intern
entry_cache_sudo_timeout = 30
services = nss, pam, ssh, sudo
config_file_version = 2
domains = linux.intern
override_homedir = /home/%u
override_shell = /bin/bash



Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to