On Wed, 18 Mar 2015, Guertin, David S. wrote:
I've almost got AD integration going, except for the minor detail that no one 
can log in. When an AD user tries to SSH in to the IPA server, /var/log/secure 
shows:


------------------------------------------

Mar 18 13:59:08 genet sshd[21335]: pam_unix(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=tundra.middlebury.edu  
user=MIDD\guertin-s
Mar 18 13:59:09 genet sshd[21335]: pam_sss(sshd:auth): authentication success; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=tundra.middlebury.edu 
user=MIDD\guertin-s
Mar 18 13:59:10 genet sshd[21335]: pam_sss(sshd:account): Access denied for 
user MIDD\guertin-s: 6 (Permission denied)
Mar 18 13:59:10 genet sshd[21335]: Failed password for MIDD\\guertin-s from 
140.233.6.66 port 59707 ssh2
Mar 18 13:59:10 genet sshd[21335]: fatal: Access denied for user 
MIDD\\\\guertin-s by PAM account configuration [preauth]

------------------------------------------


So pam_sss is responding with "permission denied".
pam_sss verifies your right to access a service by seeing if there is an
HBAC rule that allows it. HBAC rules are to allow what is denied by
default.

In standard FreeIPA setup we have 'allow_all' HBAC rule which roughly
states "anyone can access any service on any host". Did you disable this
rule?

If yes, then you have to have an explicit rules allowing access to
specific services.
See examples in 'ipa trust' and 'ipa hbacrule'. Without arguments any
topic level command in IPA CLI prints a help, there are examples of use
of commands from those topics.

To create HBAC rules for AD users you first need to create a grouping
for them in IPA ('ipa trust' has explicit example how to do that) and
then define an HBAC rule to allow that POSIX group to access sshd
service.

HBAC services are PAM service names (i.e. /etc/pam.d/<name>).

Everything looks normal here to me, until "[pam_dp_process_reply]
(0x0100): received: [6]", after which the client disconnects. Can
someone help with PAM configuration to get this to work?

As described in the documentation, my ad_users group contains the group
ad_users_external, which contains the AD group rhidm_users:

# ipa group-show ad_users
 Group name: ad_users
 Description: AD users
 GID: 1447200005
 Member groups: ad_users_external

# ipa group-show ad_users_external
 Group name: ad_users_external
 Description: AD users external map
 Member of groups: ad_users
 External member: rhidm_us...@middlebury.edu?
Right, so you have ad_users group now and need to define an HBAC rule
allowing it an access to sshd service.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to