> Jakub Hrozek wrote:
> On Fri, Dec 04, 2015 at 02:03:04PM -0600, Sauls, Jeff wrote:
> > Hello,
> > We are having a problem with HBAC that appears to be related to group
> > membership lookup. I am testing with a new install on RHEL 7.2 with a
> > cross-forest trust with AD. When an AD user attempts to log into a
> > client (RH 6.7 or 7.2) the "hbac_eval_user_element" can report a
> > different number of groups each time and never seems to contain the full
> > list.
> > For the testing account, running the 'id' command returns 153 groups.
> > The ipa group "ad_admin" has setup to be able to log in anywhere,
> > everyone else is denied. With the default allow_all rule enabled,
> > everything works as expected. Any ideas on where I can look next?
> I assume the group membership is OK on the server, but not the client? Can you
> enable debugging and also include the full logs from the client after doing
> sss_cache -E on the client?
I've done some more testing and installed a RHEL 6.6 client, the issue doesn't
occur there since it is not pulling in AD groups, it only shows the single
POSIX group. The server is running 7.2 and I get the same issue logging into
This is the log section for a login that failed due to "Access denied by HBAC
It shows it failing with 112 groups, but I've had it pass at 113 and fail on
another user at 66.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project