Details: ipa-client-install --version 4.2.0 sssd --version 1.13.0
krb5-config --version Kerberos 5 release 1.13.2 cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) I hope this helps, also can I disable the allow-all rule per-host? Thanks, Jake From: "Lachlan Musicman" <data...@gmail.com> Cc: "freeipa-users" <freeipa-users@redhat.com> Sent: Tuesday, November 1, 2016 7:04:45 PM Subject: Re: [Freeipa-users] HBAC Troubleshooting (IPA 4.2) Jake, I've seen this behaviour and am still struggling to find a solution. The version of underlying OS and sssd are useful to know fwiw. To trouble shoot HBAC: - in *target machine* sssd.conf, add debug_level=7 to each stanza (can go as high as 9, but I believe 7 will be sufficient) - restart sssd - clear logs in /var/log/sssd/ either by deleting or by logrotate - make an attempt to login/perform allowed action that gets denied - read logs to see what happened - I like to run `ipa hbactest --user= --host= --service` on the IPA node to confirm that the HBAC rules are correct - I sometimes also install ipa-tools on the target host and confirm that the above command gives same and correct answer - note that successful results from this command may not translate to successful application of HBAC on the target host in reality. cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 2 November 2016 at 09:41, Jake < [ mailto:free...@jacobdevans.com | free...@jacobdevans.com ] > wrote: Hey All, I'm having some issues tracing HBAC policies, it seems whenever I disable the allow_all policy, I'm no longer able to access services I have allowed in my more-specific hbac policy. What are the troubleshooting steps (logs) I can run on the client to see what is being denied and by what policy, Is this all done with sssd? Thank You, -Jake -- Manage your subscription for the Freeipa-users mailing list: [ https://www.redhat.com/mailman/listinfo/freeipa-users | https://www.redhat.com/mailman/listinfo/freeipa-users ] Go to [ http://freeipa.org/ | http://freeipa.org ] for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project