On Tue, Jan 17, 2017 at 10:44:14AM +0100, Harald Dunkel wrote: > It seems something got corrupted in my ipa setup. I found this in the > sssd log file on Wheezy: > > (Tue Jan 17 10:19:02 2017) [hbac_shost_attrs_to_rule] (0x0400): Processing > source hosts for rule [allow_all] > (Tue Jan 17 10:19:02 2017) [hbac_eval_user_element] (0x0080): Parse error on > [cn=System: Manage Host > Principals+nsuniqueid=109be36e-ccd911e6-a5b3d0c8-d8da17db,cn=permissions,cn=pbac,dc=example,dc=de]
Looks like there was a replication conflict, please see https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html how to resolve it. We already have a ticket for SSSD to ignore those object, but unfortunately there is currently no patch available for SSSD so you have to resolve the replication conflict to get it working again. HTH bye, Sumit > (Tue Jan 17 10:19:02 2017) [hbac_ctx_to_rules] (0x0020): Could not construct > eval request > (Tue Jan 17 10:19:02 2017) [ipa_hbac_evaluate_rules] (0x0020): Could not > construct HBAC rules > (Tue Jan 17 10:19:02 2017) [be_pam_handler_callback] (0x0100): Backend > returned: (3, 4, <NULL>) [Internal Error (System error)] > (Tue Jan 17 10:19:02 2017) [be_pam_handler_callback] (0x0100): Sending result > [4][example.de] > (Tue Jan 17 10:19:02 2017) [be_pam_handler_callback] (0x0100): Sent result > [4][example.de] > > This happens on a login via ssh, or if I run "su - username" as > root. The su session gives just a warning, but for sshd I have to > disable pam to allow remote logins. > > Complete log is attached, of course. > > > Every helpful comment is highly appreciated. > Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
