Hi, I am running a freeipa server version 4.4.0 and have setup hbac rules which work fine
However, just on one single host , I am seeing this issue wherein it is not allowing me ssh access. When I check my hbac permissions.. it say access granted but on trying to login.. it blocks me On the Freeipa server ipa hbactest --user=p-testhbac --host=>my-test-host> --service=sshd -------------------- Access granted: True -------------------- Matched rules: ipa-alluser-access Not matched rules: ipa-alluser-sudo-access On the client I get this message while doing an ssh "Connection closed by 10.0.30.28". In /var/log/secure I see these messages Feb 5 13:57:41 10 sshd[26692]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.4.6 user=p-testhbac Feb 5 13:57:41 10 sshd[26692]: pam_sss(sshd:account): Access denied for user p-testhbac: 4 (System error) Feb 5 13:57:41 10 sshd[26692]: Failed password for p-testhbac from 10.0.4.6 port 40540 ssh2 Feb 5 13:57:41 10 sshd[26692]: fatal: Access denied for user p-testhbac by PAM account configuration [preauth] /var/log/sssd/sssd_domain.log I see this error at the end, (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_req_destructor] (0x0400): DP Request [PAM SELinux #13]: Request removed. (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_pam_reply] (0x1000): DP Request [PAM Account #12]: Sending result [4][mydomain.com] (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [child_sig_handler] (0x1000): Waiting for child [26795]. (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [child_sig_handler] (0x0020): child [26795] failed with status [1]. But few lines above.. I see that I was allowed in by the hbac rule. (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [hbac_evaluate] (0x0100): ALLOWED by rule [ipa-alluser-access]. (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [hbac_evaluate] (0x0100): hbac_evaluate() >] (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [ipa-alluser-access] (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_req_done] (0x0400): DP Request [PAM Account #12]: Request handler finished [0]: Success (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [_dp_req_recv] (0x0400): DP Request [PAM Account #12]: Receiving request data. (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_req_destructor] (0x0400): DP Request [PAM Account #12]: Request removed.I was allowed in per the HBAC rule Not sure whats blocking me.. Thanks Rakesh
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
