On Mon, Sep 14, 2015 at 11:16:57AM +0200, Morgan Marodin wrote: > Ok, but now I've an other problem :) > > If I disable the default allow_all HBAC rule creating one custom HBAC rule > that enable ad_admins to access any host any service, kerberos ticket via > ssh does not works. > Username/password authentication with the same custom HBAC rules works. > > SSH logs with kerberos authentication: > Sep 14 11:04:43 ipa-client01 sshd[1728]: Authorized to > administra...@mydomain.com, krb5 principal administra...@mydomain.com > (krb5_kuserok) > Sep 14 11:04:43 ipa-client01 sshd[1728]: pam_sss(sshd:account): Access > denied for user administra...@mydomain.com: 6 (Permission denied) > Sep 14 11:04:43 ipa-client01 sshd[1729]: fatal: Access denied for user > administra...@mydomain.com by PAM account configuration > > SSH logs with username/password authentication: > Sep 14 11:10:30 ipa-client01 sshd[1766]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=192.168.0.252 user=administra...@mydomain.com > Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_sss(sshd:auth): authentication > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.252 user= > administra...@mydomain.com > Sep 14 11:10:31 ipa-client01 sshd[1766]: Accepted password for > administra...@mydomain.com from 192.168.0.252 port 49590 ssh2 > Sep 14 11:10:31 ipa-client01 sshd[1766]: pam_unix(sshd:session): session > opened for user administra...@mydomain.com by (uid=0) > > If I enable allow_all HBAC rule kerberos authentication works. > Maybe is there something else to configure?
no, HBAC result should not change depending on the authentication method. Can you send me the SSSD logs with a high debug level (10) for both cases? If you prefer you can send them to me directly. bye, Sumit > > Thanks, Morgan > > 2015-09-14 9:48 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>: > > > On Mon, 14 Sep 2015, Morgan Marodin wrote: > > > >> The Pro edition. > >> > >> I've solved my connection problem, I have to specify manually the > >> username ( > >> name.surname@ad_domain.com) with Microsoft SSPI. > >> In this mode is ok, but using Putty "Use system username" do not works for > >> me. > >> > >> > >> I don't know why :) > >> > > A problem is in the fact that when you use PuTTY's 'use system > > username', it does only provide unqualified name there, e.g. > > Administrator, not AD\Administrator or administra...@ad.test. On IPA > > client side AD users are fully qualified and thus a user you are trying > > to login to (Administrator) is not the same as the user you are > > (adminsitra...@ad.test). > > -- > > / Alexander Bokovoy > > > > > > -- > Morgan Marodin > email: mor...@marodin.it > mobile: +39.3477829069 > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
