Hello Daniel,

Just to clarify the issue:

user 'a.cri.dsulli...@bsdad.uchicago.edu' is a member of IDM POSIX group 'cri-cri_server_administrators_ipa' which is linked to the external group used for the AD trust.

The following HBAC rule is not working to allow SSH access

[root@cri-ksysipadcp2 a.cri.dsullivan]# ipa hbacrule-show 'cri-cri_server_administrators_allow_all'
      Rule name: cri-cri_server_administrators_allow_all
      Host category: all
      Service category: all
Description: Allow anyone in cri-cri_server_administrat...@bsdad.uchicago.edu<mailto:cri-cri_server_administrat...@bsdad.uchicago.edu> to login to any machine
      Enabled: TRUE
      User Groups: cri-cri_server_administrators_ipa


During the HBAC processing, sssd checks which groups are associated with the HBAC rule and adds those groups(just the 'cri-cri_server_administrators_ipa' group in this case) to the memberUser attribute of the HBAC rule sysdb entry.

(Wed Jul 13 12:07:13 2016) [sssd[be[ipa.cri.uchicago.edu]]] [hbac_attrs_to_rule] (0x1000): Processing rule [cri-cri_server_administrators_allow_all] (Wed Jul 13 12:07:13 2016) [sssd[be[ipa.cri.uchicago.edu]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=cri-cri_server_administrators_ipa,cn=groups,cn=accounts,dc=ipa,dc=cri,dc=uchicago,dc=edu)) (Wed Jul 13 12:07:13 2016) [sssd[be[ipa.cri.uchicago.edu]]] [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [cri-cri_server_administrators_ipa] to rule [cri-cri_server_administrators_allow_all]

The hbac evaluation reads the originalMemberof attribute of 'a.cri.dsulli...@bsdad.uchicago.edu' to assess the groups which HBAC should match with

(Wed Jul 13 12:07:13 2016) [sssd[be[ipa.cri.uchicago.edu]]] [hbac_eval_user_element] (0x1000): [30] groups for [a.cri.dsulli...@bsdad.uchicago.edu]

With debug logging enabled we should see a message such as the following when the group is found, but we don't see that in your log output:

[hbac_eval_user_element] Added group [cri-cri_server_administrators_ipa] for user [a.cri.dsulli...@bsdad.uchicago.edu]

We need to understand why this group is being removed from the sysdb, as you said the group does not return in id command output after the SSH attempt.

It would be great to get full sssd debug logs and a dump of the sssd sysdb cache after the first 'id' command is run, and then after the SSH attempt is made when the group no longer shows. Note the ldbsearch command is included in the 'ldb-tools' rpm

For example:

ldbsearch -H /var/lib/sss/db/cache_<domain>.ldb > ldbsearch-first-id-command.ldb

ldbsearch -H /var/lib/sss/db/cache_<domain>.ldb > ldbsearch-after-ssh-attempt.ldb

Kind regards,
Justin Stephenson

On 07/13/2016 03:14 PM, Sullivan, Daniel [AAA] wrote:
Jakub, Justin,

Thank you both very much for taking the time to continue helping me resolve 
this issue.  I apologize for not replying right away; I’ve been dealing with a 
production issue for most of the morning.

An invocation of ‘id 
a.cri.dsulli...@bsdad.uchicago.edu<mailto:a.cri.dsulli...@bsdad.uchicago.edu>’ on the IPA DC 
shows me as a member of the POSIX IPA group 
 as well as the AD domain group in the trusted domain 
  This remains consistent across any number of successful sshd logins into the DC using my 
a.cri.dsullivan@bsdad.uchicago<mailto:a.cri.dsullivan@bsdad.uchicago>.edu account, including 
after clearing the cache on the DC.

On the client, I am seeing some unusual behavior.  If I run the commands 'sss_cache -E; 
service sssd stop ; rm -rf /var/log/sssd/* ; service sssd start’ , then run ‘id 
a.cri.dsulli...@bsdad.uchicago.edu<mailto:a.cri.dsulli...@bsdad.uchicago.edu>’, I see 
the POSIX IPA group as well as the AD domain group as described above (what I presumably 
want and expect).  However (and this is the unusual part), if I attempt to login via SSH 
(it will fail with HBAC validation), and then run the ‘id 
command again , the POSIX IPA group disappears from the list of groups output by the id 
command.  From what I can tell, this group will not reappear in the group list on the 
client until the client cache is cleared.  Presumably this behavior is related to the HBAC 
authentication errors I am experiencing.  I have cleared the cache on both the DC and the 
client using ssh_cache -E and this behavior is still exhibited.  With respect to output 
from testing:

1) The sssd domain log from from the client of the initial id invocation (both groups 
appear) after clearing the cache (on the client) can be found here (this output 
contains both groups): 
2) The sssd domain log from the client for the failed sshd login (similar to the 
output I provided yesterday, however re-captured) can be found here (after this 
operation the IPA group disappears from the list of groups from the id command): 
3) The DC log (after the client cache is cleared) of my running the id 
invocation (from the client) can be found here (this is the DC side of 1) from 
above. https://gist.github.com/dsulli99/a2a5e80b6a8b143afa20024aa40a7b39
4) The DC log of the the failed sshd login into the client (this is the DC side 
of 2) from above is 

I really appreciate your help with looking at this issue.  As I said I have 
another machine built from the same image that this is working fine on.  I am 
going to keep plugging away at this, I will let you know if I come up with 


This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please
notify the sender and destroy all copies of the transmittal.

Thank you
University of Chicago Medicine and Biological Sciences

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to