Hi,

I am running a freeipa server version 4.4.0 and have setup hbac rules which
work fine

However, just on one single host , I am seeing this issue wherein it is not
allowing me ssh access.
When I check my hbac permissions.. it say access granted but on trying to
login.. it blocks me

On the Freeipa server
ipa hbactest --user=p-testhbac --host=>my-test-host> --service=sshd

--------------------
Access granted: True
--------------------
  Matched rules: ipa-alluser-access
  Not matched rules: ipa-alluser-sudo-access

On the client I get this message while doing an ssh "Connection closed by
10.0.30.28".

In /var/log/secure I see these messages
Feb  5 13:57:41 10 sshd[26692]: pam_sss(sshd:auth): authentication success;
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.4.6 user=p-testhbac
Feb  5 13:57:41 10 sshd[26692]: pam_sss(sshd:account): Access denied for
user p-testhbac: 4 (System error)
Feb  5 13:57:41 10 sshd[26692]: Failed password for p-testhbac from
10.0.4.6 port 40540 ssh2
Feb  5 13:57:41 10 sshd[26692]: fatal: Access denied for user p-testhbac by
PAM account configuration [preauth]

/var/log/sssd/sssd_domain.log I see this error at the end,


(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_req_destructor]
(0x0400): DP Request [PAM SELinux #13]: Request removed.
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_pam_reply]
(0x1000): DP Request [PAM Account #12]: Sending result [4][mydomain.com]
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [child_sig_handler]
(0x1000): Waiting for child [26795].
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [child_sig_handler]
(0x0020): child [26795] failed with status [1].



But few lines above.. I see that I was allowed in by the hbac rule.


 (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [hbac_evaluate]
(0x0100): ALLOWED by rule [ipa-alluser-access].
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [hbac_evaluate]
(0x0100): hbac_evaluate() >]
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule
[ipa-alluser-access]
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_req_done] (0x0400):
DP Request [PAM Account #12]: Request handler finished [0]: Success
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [_dp_req_recv]
(0x0400): DP Request [PAM Account #12]: Receiving request data.
(Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com]]] [dp_req_destructor]
(0x0400): DP Request [PAM Account #12]: Request removed.I was allowed in
per the HBAC rule


Not sure whats blocking me..


Thanks
Rakesh
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to