Hi,

I have a brief follow up question regarding this issue; 

I’m actually not bent on using HBAC; it is a nice feature and I’d like to use 
it, but at the end of the day I’m not married to the idea of managing this type 
of policy centrally; in theory, group or user based access control using 
AllowGroups/AllowUsers in sshd_config should work, as long as 
GSSAPIAuthentication and UsePAM are enabled, right? I’ve seen a couple of 
threads that suggest this is possible, although I haven’t seen it explicitly 
mentioned anywhere in the documentation.

I’ve made a brief failed attempt at getting sshd authentication working using 
AllowGroups in sshd_config, however I haven’t spent a whole lot of time on it 
yet (I’m running into some issues with PAM, presumably to pre-existing problems 
with group enumeration).

I’m growing concerned about our upcoming IPA implementation because as of now I 
don’t have a known workaround to the issue described in this thread (it is 
impacting more than one client).  Any advice with respect to a viable 
workaround to this issue would be appreciated.

Thank you so much for your ongoing support.

Best,

Dan

> On Jul 13, 2016, at 2:14 PM, Sullivan, Daniel [AAA] 
> <dsulliv...@bsd.uchicago.edu> wrote:
> 
> Jakub, Justin,
> 
> Thank you both very much for taking the time to continue helping me resolve 
> this issue.  I apologize for not replying right away; I’ve been dealing with 
> a production issue for most of the morning.
> 
> An invocation of ‘id 
> a.cri.dsulli...@bsdad.uchicago.edu<mailto:a.cri.dsulli...@bsdad.uchicago.edu>’
>  on the IPA DC shows me as a member of the POSIX IPA group 
> (cri_server_administrators_...@ipa.cri.uchicago.edu<mailto:cri_server_administrators_...@ipa.cri.uchicago.edu>)
>  as well as the AD domain group in the trusted domain 
> (cri-aaa_server_administrat...@bsdad.uchicago.edu<mailto:cri-aaa_server_administrat...@bsdad.uchicago.edu>).
>   This remains consistent across any number of successful sshd logins into 
> the DC using my 
> a.cri.dsullivan@bsdad.uchicago<mailto:a.cri.dsullivan@bsdad.uchicago>.edu 
> account, including after clearing the cache on the DC.
> 
> On the client, I am seeing some unusual behavior.  If I run the commands 
> 'sss_cache -E; service sssd stop ; rm -rf /var/log/sssd/* ; service sssd 
> start’ , then run ‘id 
> a.cri.dsulli...@bsdad.uchicago.edu<mailto:a.cri.dsulli...@bsdad.uchicago.edu>’,
>  I see the POSIX IPA group as well as the AD domain group as described above 
> (what I presumably want and expect).  However (and this is the unusual part), 
> if I attempt to login via SSH (it will fail with HBAC validation), and then 
> run the ‘id 
> a.cri.dsulli...@bsdad.uchicago.edu<mailto:a.cri.dsulli...@bsdad.uchicago.edu>’
>  command again , the POSIX IPA group disappears from the list of groups 
> output by the id command.  From what I can tell, this group will not reappear 
> in the group list on the client until the client cache is cleared.  
> Presumably this behavior is related to the HBAC authentication errors I am 
> experiencing.  I have cleared the cache on both the DC and the client using 
> ssh_cache -E and this behavior is still exhibited.  With respect to output 
> from testing:
> 
> 1) The sssd domain log from from the client of the initial id invocation 
> (both groups appear) after clearing the cache (on the client) can be found 
> here (this output contains both groups): 
> https://gist.github.com/dsulli99/7117f8d567cc7cdf727d474b0aeab8da<http://pastebin.com/BpAHfYEP>
> 2) The sssd domain log from the client for the failed sshd login (similar to 
> the output I provided yesterday, however re-captured) can be found here 
> (after this operation the IPA group disappears from the list of groups from 
> the id command): 
> https://gist.github.com/dsulli99/668a8799709ff0cd311b321206591124<http://pastebin.com/tnuAbvmV>
> 3) The DC log (after the client cache is cleared) of my running the id 
> invocation (from the client) can be found here (this is the DC side of 1) 
> from above. https://gist.github.com/dsulli99/a2a5e80b6a8b143afa20024aa40a7b39
> 4) The DC log of the the failed sshd login into the client (this is the DC 
> side of 2) from above is 
> https://gist.github.com/dsulli99/4e3ba53c942ad78d7487ae51da92007e
> 
> I really appreciate your help with looking at this issue.  As I said I have 
> another machine built from the same image that this is working fine on.  I am 
> going to keep plugging away at this, I will let you know if I come up with 
> anything.
> 
> Dan
> 
> 
> 
> ********************************************************************************
> This e-mail is intended only for the use of the individual or entity to which
> it is addressed and may contain information that is privileged and 
> confidential.
> If the reader of this e-mail message is not the intended recipient, you are 
> hereby notified that any dissemination, distribution or copying of this
> communication is prohibited. If you have received this e-mail in error, 
> please 
> notify the sender and destroy all copies of the transmittal. 
> 
> Thank you
> University of Chicago Medicine and Biological Sciences 
> ********************************************************************************
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


********************************************************************************
This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please 
notify the sender and destroy all copies of the transmittal. 

Thank you
University of Chicago Medicine and Biological Sciences 
********************************************************************************

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to