On Sun, Sep 07, 2014 at 11:41:16PM +0200, Gregor Bregenzer wrote: > Hi! > > I have an AD trust with FreeIPA 4.0.1 and defined a HBAC rule for a > specific user group (=ad_users which is an posix group that has an > external group as member) to login on a specific client > (=linux1.linux.intern). > > The problem is: once i disable the rule and the AD user is not allowed > to login anymore, the user on the client gets another uid and gid via > sssd. > > I use the posix attributes from AD, which will get received by sssd perfectly. > The client is running on CentOS 6.5 and uses sssd 1.9.2.129.el6_5.4 > AD domain = aaa.intern > IPA domain = linux.intern > AD-User: user1 (uid=1005,gid=10005) > > Here an example: > ---------------------------- > 1.) disable the hbac rule and the default allow_all rule: > 2.) check the uid/gid on the client (=linux1.linux.intern) and it looks fine: > > [root@linux1 sssd]# getent passwd user1@aaa > user1@aaa.intern:*:10005:10005::/home/user1@aaa.intern:/bin/bash > > 3.) Login with ssh to client as user1. It will be denied upon correct > password input and ssh sessions closes. Up until now everything as > expected. But now: > > 4.) check for the uid/gid on the client - something totally different. > It now also receives the Firstname and Lastname from AD, latter is > empty: > > [root@linux1 sssd]# getent passwd user1@aaa > user1@aaa.intern:*:11601:11601:user1:/home/user1@aaa.intern:/bin/bash > > 5.) Enable the hbac rule and login works, but the unexpected uid/gid > stays the same: > > login as: user1@aaa > user1@aaa@192.168.0.100's password: > login as: user1@aaa > user1@aaa@192.168.0.100's password: > Last failed login: Sun Sep 7 23:19:49 CEST 2014 from 192.168.0.26 on > ssh:notty > There were 2 failed login attempts since the last successful login. > Creating home directory for user1@aaa. > Last login: Sun Sep 7 23:21:02 2014 from 192.168.0.26 > [user1@aaa.intern@linux1 ~]$ id > uid=11601(user1@aaa.intern) gid=11601(user1@aaa.intern) > Gruppen=11601(user1@aaa.intern),1933000004(ad_users) > [user1@aaa.intern@linux1 ~]$ > --------------------------------- > > Anyone have a clue what might be the problem?
I would expect some kind of collision, but to be sure I need the SSSD log files. Please try to reproduce the switch and send me the log file, if possilbe with debug_level=9. bye, Sumit > > Here's the sssd.conf: > [root@linux1 sssd]# cat /etc/sssd/sssd.conf > [domain/linux.intern] > debug_level=6 > cache_credentials = False > krb5_store_password_if_offline = False > ipa_domain = linux.intern > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = linux1.linux.intern > chpass_provider = ipa > ipa_dyndns_update = True > ipa_server = _srv_, ipa1.linux.intern > ldap_tls_cacert = /etc/ipa/ca.crt > use_fully_qualified_domains = True > # For the SUDO integration > sudo_provider = ldap > ldap_uri = ldap://ipa1.linux.intern > ldap_sudo_search_base = ou=sudoers,dc=linux,dc=intern > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/linux1.linux.intern > ldap_sasl_realm = LINUX.INTERN > krb5_server = ipa1.linux.intern > entry_cache_sudo_timeout = 30 > [sssd] > debug_level=6 > services = nss, pam, ssh, sudo > config_file_version = 2 > default_domain_suffix=aaa.intern > domains = linux.intern > [nss] > debug_level=9 > override_homedir = /home/%u > override_shell = /bin/bash > [pam] > debug_level=6 > [sudo] > debug_level=6 > [autofs] > > [ssh] > debug_level=6 > [pac] > > > > Thanks! > Gregor > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project