On Tue, Feb 17, 2015 at 03:47:39PM -0800, Andrew Egelhofer wrote: > Hi Sumit & FreeIPA Users- > > Your suggestion on updating the version of sssd worked like a charm. > Consider this issue solved.
Thank you for the feedback, glad I could help. bye, Sumit > > Thanks Everyone, > -Andrew > > On Mon, Feb 16, 2015 at 12:32 PM, Andrew Egelhofer < > aegelho...@rubiconproject.com> wrote: > > > Thank you for the reply Sumit - I will look into updating the version of > > sssd. If that doesn't work, I will also try adding the > > 'sourceHostCategory' attribute to rules. Though, I would imagine I would > > have to do this for *all* rules if I want them to work as intended. I'll > > report back my findings tomorrow. > > > > Thanks, > > -Andrew > > > > On Mon, Feb 16, 2015 at 12:40 AM, Sumit Bose <sb...@redhat.com> wrote: > > > >> On Sat, Feb 14, 2015 at 12:52:10PM -0800, Andrew Egelhofer wrote: > >> > Hi FreeIPA Users- > >> > > >> > I've deployed a FreeIPA instance in my Lab, and enrolled a single host, > >> and > >> > a single user ('testuser'). The only HBAC rule I currently have is the > >> > stock allow_all. Yet, when I attempt to log into the host via ssh, it > >> > closes the connection. > >> > > >> > $ ssh testuser@<host> > >> > Warning: Permanently added '<host>,<host-ip>' (RSA) to the list of known > >> > hosts. > >> > testuser@<host>'s password: > >> > Connection closed by <host-ip> > >> > > >> > The host I'm attempting to login to can correctly look up the user using > >> > getent: > >> > > >> > # getent passwd testuser > >> > testuser:*:168400003:168400003:Test User:/home/testuser:/bin/bash > >> > > >> > Scanning /var/log/secure, I see these entries: > >> > > >> > Feb 14 12:01:50 <host> sshd[6528]: pam_unix(sshd:auth): authentication > >> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.30.3.58 > >> > user=testuser > >> > Feb 14 12:01:51 <host> sshd[6528]: pam_sss(sshd:auth): authentication > >> > success; logname= uid=0 euid=0 tty=ssh ruser= > >> > rhost=172.30.3.58 user=testuser > >> > Feb 14 12:01:51 <host> sshd[6528]: pam_sss(sshd:account): Access denied > >> for > >> > user testuser: 6 (Permission denied) > >> > > >> > That tells me (From reading online) the user / password was correctly > >> > authenticated, but failed authorization due to HBAC rules. I've tested > >> the > >> > rule using the 'hbactest' utility and it passes > >> > > >> > [root@<Master> ~]# ipa hbactest --user=testuser --host=<host> > >> --service=sshd > >> > -------------------- > >> > Access granted: True > >> > -------------------- > >> > Matched rules: allow_all > >> > > >> > I'm at a loss here, because If I comment out the line: > >> > > >> > account [default=bad success=ok user_unknown=ignore] pam_sss.so > >> > > >> > in /etc/pam.d/system-auth, the user is able to login. > >> > > >> > So what am I missing here? Is there a way I can debug HBAC rules? I've > >> > already set debug_level = 10 in /etc/sssd/sssd.conf, and I see its able > >> to > >> > access the HBAC 'allow_all' rule in the log > >> /var/log/sssd/sssd_<domain>.<dc> > >> > .log: > >> > > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> > [sdap_get_generic_done] (7): Total count [0] > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> [hbac_attrs_to_rule] > >> > (7): Processing rule [allow_all] > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> > [hbac_user_attrs_to_rule] (7): Processing users for rule [allow_all] > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] [hbac_get_category] > >> > (5): Category is set to 'all'. > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> > [hbac_service_attrs_to_rule] (7): Processing PAM services for rule > >> > [allow_all] > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] [hbac_get_category] > >> > (5): Category is set to 'all'. > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> > [hbac_thost_attrs_to_rule] (7): Processing target hosts for rule > >> [allow_all] > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] [hbac_get_category] > >> > (5): Category is set to 'all'. > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> > [hbac_shost_attrs_to_rule] (7): Processing source hosts for rule > >> [allow_all] > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> > [hbac_host_attrs_to_rule] (4): No host specified, rule will never apply. > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> > [hbac_eval_user_element] (7): [12] groups for [admin] > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> > [hbac_eval_user_element] (7): Added group [admins] for user [admin] > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> > [hbac_eval_user_element] (8): Skipping non-group memberOf > >> [cn=replication > >> > administrators,cn=privileges,cn=pbac,dc=<domain>,dc=<dc>] > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=add > >> > replication agreements,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>] > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=modify > >> > replication agreements,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>] > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=remove > >> > replication agreements,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>] > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=host > >> > enrollment,cn=privileges,cn=pbac,dc=<domain>,dc=<dc>] > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=manage > >> host > >> > keytab,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>] > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=enroll a > >> > host,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>] > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=add > >> > krbprincipalname to a host,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>] > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=unlock > >> user > >> > accounts,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>] > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> > [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=manage > >> > service keytab,cn=permissions,cn=pbac,dc=<domain>,dc=<dc>] > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> > [hbac_eval_user_element] (7): Added group [trust admins] for user > >> [admin] > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > >> > [ipa_hbac_evaluate_rules] (3): Access denied by HBAC rules > >> > > >> > IPA server: > >> > # rpm -q ipa-server sssd > >> > ipa-server-3.0.0-42.el6.centos.x86_64 > >> > sssd-1.11.6-30.el6_6.3.x86_64 > >> > # cat /etc/redhat-release > >> > CentOS release 6.5 (Final) > >> > > >> > Client: > >> > # cat /etc/redhat-release > >> > CentOS release 5.8 (Final) > >> > # rpm -q sssd > >> > sssd-1.5.1-49.el5_8.1 > >> > >> This version is quite old and I guess > >> > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > > >> [hbac_shost_attrs_to_rule] (7): Processing source hosts for rule > >> [allow_all] > >> > (Fri Feb 13 21:38:15 2015) [sssd[be[<domain>.<dc>]]] > > >> [hbac_host_attrs_to_rule] (4): No host specified, rule will never apply. > >> > >> is causing the issue. At that time it was possible to specific source > >> hosts in HBAC rules. But since there is no reliable way to determine > >> the source host (we have to rely on the data libpam is able to give us). > >> we removed this in later versions. If you started with an old IPA server > >> the related attributes are kept during updates, but newer versions like > >> ipa v3 do not set them anymore. > >> > >> First I would recommend to update SSSD. If there is really no wy to > >> update SSSD adding an attribute 'sourceHostCategory: all' to the LDAP > >> object of the allow_all rule might help. > >> > >> HTH > >> > >> bye, > >> Sumit > >> > > >> > Any help is appreciated. > >> > > >> > Thanks, > >> > -Andrew > >> > >> > -- > >> > Manage your subscription for the Freeipa-users mailing list: > >> > https://www.redhat.com/mailman/listinfo/freeipa-users > >> > Go To http://freeipa.org for more info on the project > >> > >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project