After further testing, I've discovered that the dev system wasn't working as well as I thought it was: HBAC and sshd don't seem to be playing well together on one server, but fine on the other?
ie, I can run the same commands from both ipa-server and ipa-client: ipa hbactest --user=user1 --host=ipa-server.unixdev.petermac.org.au --service=sshd ipa hbactest --user=user1 --host=ipa-client.unixdev.petermac.org.au --service=sshd and every response is: to the ipa-client -------------------- Access granted: True -------------------- Matched rules: Admin Users (w sudo) Matched rules: Users to the ipa-server -------------------- Access granted: True -------------------- Matched rules: Cluster Admin Users (sudo) Not matched rules: Cluster Users but when I try to login to the ipa-server, I get an instance disconnect? I can login happily to the ipa-client no problems. Is there a special rule about sshd and the ipa-server? cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 11 October 2016 at 14:06, Lachlan Musicman <data...@gmail.com> wrote: > Hola, > > I've set up a test domain that's as much as possible the same as the prod > domain, and successfully got a one way trust against the AD: cantos 7.2, > ipa 4.2.0-15/api2.156, sssd (copr) 1.14.1-3 > > On that test domain I believe I have HBAC working successfully. > > Once I could show that it was working successfully on the test domain we > updated all the clients in the prod domain to sssd 1.14.1-3, updated the > IPA server, ran ipa-server-upgrade and we disabled "allow all" in the HBAC. > > And it doesn't work? Two users could login, but none of the others could, > and the sudo rules weren't applied in so much as the one user that could > login but shouldn't have had sudo, did. > > I tried stopping sssd/clearing cache/start sssd/waiting; and stopping > sssd/deleting /var/lib/sss/db/* /start sssd/waiting. > > Neither of those worked, so I enabled allow all again. > > Now I have a bunch of log files to look through, but no clear indication > of what might have gone wrong from a quick read. > > I can see in the logs where one person is ok'd by HBAC for sshd and > another two are denied - when they should have all been ok'd. And I can > infer that the reasoning is that HBAC has declared person2 + person3 to not > be in a group they most definitely are in from the error messages. But > there is no indication of why sssd hasn't properly picked up that person2 > is in the correct group? > > I guess the question is, where do I start fixing this? Which logs should I > be reading? > > What can I compare between the two set ups (dev and prod) that might give > me insight, given that they are largely set up identically? > > Cheers > L. > > > > ------ > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project