Jake, I've seen this behaviour and am still struggling to find a solution.
The version of underlying OS and sssd are useful to know fwiw. To trouble shoot HBAC: - in *target machine* sssd.conf, add debug_level=7 to each stanza (can go as high as 9, but I believe 7 will be sufficient) - restart sssd - clear logs in /var/log/sssd/ either by deleting or by logrotate - make an attempt to login/perform allowed action that gets denied - read logs to see what happened - I like to run `ipa hbactest --user= --host= --service` on the IPA node to confirm that the HBAC rules are correct - I sometimes also install ipa-tools on the target host and confirm that the above command gives same and correct answer - note that successful results from this command may not translate to successful application of HBAC on the target host in reality. cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 2 November 2016 at 09:41, Jake <free...@jacobdevans.com> wrote: > Hey All, > I'm having some issues tracing HBAC policies, it seems whenever I disable > the allow_all policy, I'm no longer able to access services I have allowed > in my more-specific hbac policy. > > What are the troubleshooting steps (logs) I can run on the client to see > what is being denied and by what policy, Is this all done with sssd? > > Thank You, > -Jake > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project