After further testing, I've discovered that the dev system wasn't working
as well as I thought it was: HBAC and sshd don't seem to be playing well
together on one server, but fine on the other?
ie, I can run the same commands from both ipa-server and ipa-client:
ipa hbactest --user=user1 --host=ipa-server.unixdev.petermac.org.au
ipa hbactest --user=user1 --host=ipa-client.unixdev.petermac.org.au
and every response is:
to the ipa-client
Access granted: True
Matched rules: Admin Users (w sudo)
Matched rules: Users
to the ipa-server
Access granted: True
Matched rules: Cluster Admin Users (sudo)
Not matched rules: Cluster Users
but when I try to login to the ipa-server, I get an instance disconnect? I
can login happily to the ipa-client no problems.
Is there a special rule about sshd and the ipa-server?
The most dangerous phrase in the language is, "We've always done it this
- Grace Hopper
On 11 October 2016 at 14:06, Lachlan Musicman <data...@gmail.com> wrote:
> I've set up a test domain that's as much as possible the same as the prod
> domain, and successfully got a one way trust against the AD: cantos 7.2,
> ipa 4.2.0-15/api2.156, sssd (copr) 1.14.1-3
> On that test domain I believe I have HBAC working successfully.
> Once I could show that it was working successfully on the test domain we
> updated all the clients in the prod domain to sssd 1.14.1-3, updated the
> IPA server, ran ipa-server-upgrade and we disabled "allow all" in the HBAC.
> And it doesn't work? Two users could login, but none of the others could,
> and the sudo rules weren't applied in so much as the one user that could
> login but shouldn't have had sudo, did.
> I tried stopping sssd/clearing cache/start sssd/waiting; and stopping
> sssd/deleting /var/lib/sss/db/* /start sssd/waiting.
> Neither of those worked, so I enabled allow all again.
> Now I have a bunch of log files to look through, but no clear indication
> of what might have gone wrong from a quick read.
> I can see in the logs where one person is ok'd by HBAC for sshd and
> another two are denied - when they should have all been ok'd. And I can
> infer that the reasoning is that HBAC has declared person2 + person3 to not
> be in a group they most definitely are in from the error messages. But
> there is no indication of why sssd hasn't properly picked up that person2
> is in the correct group?
> I guess the question is, where do I start fixing this? Which logs should I
> be reading?
> What can I compare between the two set ups (dev and prod) that might give
> me insight, given that they are largely set up identically?
> The most dangerous phrase in the language is, "We've always done it this
> - Grace Hopper
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project