Did you check /var/log/messages and /var/log/secure? I think I’ve seen problems with hosts.allow/hosts.deny dump output in there.
Dan On Feb 5, 2017, at 8:17 AM, Rakesh Rajasekharan <rakesh.rajasekha...@gmail.com<mailto:rakesh.rajasekha...@gmail.com>> wrote: Hi, I am running a freeipa server version 4.4.0 and have setup hbac rules which work fine However, just on one single host , I am seeing this issue wherein it is not allowing me ssh access. When I check my hbac permissions.. it say access granted but on trying to login.. it blocks me On the Freeipa server ipa hbactest --user=p-testhbac --host=>my-test-host> --service=sshd -------------------- Access granted: True -------------------- Matched rules: ipa-alluser-access Not matched rules: ipa-alluser-sudo-access On the client I get this message while doing an ssh "Connection closed by 10.0.30.28". In /var/log/secure I see these messages Feb 5 13:57:41 10 sshd[26692]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.4.6 user=p-testhbac Feb 5 13:57:41 10 sshd[26692]: pam_sss(sshd:account): Access denied for user p-testhbac: 4 (System error) Feb 5 13:57:41 10 sshd[26692]: Failed password for p-testhbac from 10.0.4.6 port 40540 ssh2 Feb 5 13:57:41 10 sshd[26692]: fatal: Access denied for user p-testhbac by PAM account configuration [preauth] /var/log/sssd/sssd_domain.log I see this error at the end, (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [dp_req_destructor] (0x0400): DP Request [PAM SELinux #13]: Request removed. (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [dp_pam_reply] (0x1000): DP Request [PAM Account #12]: Sending result [4][mydomain.com<http://mydomain.com/>] (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [child_sig_handler] (0x1000): Waiting for child [26795]. (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [child_sig_handler] (0x0020): child [26795] failed with status [1]. But few lines above.. I see that I was allowed in by the hbac rule. (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [hbac_evaluate] (0x0100): ALLOWED by rule [ipa-alluser-access]. (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [hbac_evaluate] (0x0100): hbac_evaluate() >] (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [ipa-alluser-access] (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [dp_req_done] (0x0400): DP Request [PAM Account #12]: Request handler finished [0]: Success (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [_dp_req_recv] (0x0400): DP Request [PAM Account #12]: Receiving request data. (Sun Feb 5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] [dp_req_destructor] (0x0400): DP Request [PAM Account #12]: Request removed.I was allowed in per the HBAC rule Not sure whats blocking me.. Thanks Rakesh -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project