I've seen this behaviour and am still struggling to find a solution.
The version of underlying OS and sssd are useful to know fwiw.
To trouble shoot HBAC:
- in *target machine* sssd.conf, add debug_level=7 to each stanza (can go
as high as 9, but I believe 7 will be sufficient)
- restart sssd
- clear logs in /var/log/sssd/ either by deleting or by logrotate
- make an attempt to login/perform allowed action that gets denied
- read logs to see what happened
- I like to run `ipa hbactest --user= --host= --service` on the IPA node
to confirm that the HBAC rules are correct
- I sometimes also install ipa-tools on the target host and confirm that
the above command gives same and correct answer
- note that successful results from this command may not translate to
successful application of HBAC on the target host in reality.
The most dangerous phrase in the language is, "We've always done it this
- Grace Hopper
On 2 November 2016 at 09:41, Jake <free...@jacobdevans.com> wrote:
> Hey All,
> I'm having some issues tracing HBAC policies, it seems whenever I disable
> the allow_all policy, I'm no longer able to access services I have allowed
> in my more-specific hbac policy.
> What are the troubleshooting steps (logs) I can run on the client to see
> what is being denied and by what policy, Is this all done with sssd?
> Thank You,
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project