Also, check your ssshd configuration, there might be some restriction in there.

Dan

> On Feb 5, 2017, at 8:21 AM, Sullivan, Daniel [CRI] 
> <dsulliv...@bsd.uchicago.edu> wrote:
> 
> Did you check /var/log/messages and /var/log/secure?  I think I’ve seen 
> problems with hosts.allow/hosts.deny dump output in there.
> 
> Dan
> 
> On Feb 5, 2017, at 8:17 AM, Rakesh Rajasekharan 
> <rakesh.rajasekha...@gmail.com<mailto:rakesh.rajasekha...@gmail.com>> wrote:
> 
> Hi,
> 
> I am running a freeipa server version 4.4.0 and have setup hbac rules which 
> work fine
> 
> However, just on one single host , I am seeing this issue wherein it is not 
> allowing me ssh access.
> When I check my hbac permissions.. it say access granted but on trying to 
> login.. it blocks me
> 
> On the Freeipa server
> ipa hbactest --user=p-testhbac --host=>my-test-host> --service=sshd
> 
> --------------------
> Access granted: True
> --------------------
>  Matched rules: ipa-alluser-access
>  Not matched rules: ipa-alluser-sudo-access
> 
> On the client I get this message while doing an ssh "Connection closed by 
> 10.0.30.28".
> 
> In /var/log/secure I see these messages
> Feb  5 13:57:41 10 sshd[26692]: pam_sss(sshd:auth): authentication success; 
> logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.4.6 user=p-testhbac
> Feb  5 13:57:41 10 sshd[26692]: pam_sss(sshd:account): Access denied for user 
> p-testhbac: 4 (System error)
> Feb  5 13:57:41 10 sshd[26692]: Failed password for p-testhbac from 10.0.4.6 
> port 40540 ssh2
> Feb  5 13:57:41 10 sshd[26692]: fatal: Access denied for user p-testhbac by 
> PAM account configuration [preauth]
> 
> /var/log/sssd/sssd_domain.log I see this error at the end,
> 
> 
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] 
> [dp_req_destructor] (0x0400): DP Request [PAM SELinux #13]: Request removed.
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] 
> [dp_req_destructor] (0x0400): Number of active DP request: 0
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] 
> [dp_pam_reply] (0x1000): DP Request [PAM Account #12]: Sending result 
> [4][mydomain.com<http://mydomain.com/>]
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] 
> [child_sig_handler] (0x1000): Waiting for child [26795].
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] 
> [child_sig_handler] (0x0020): child [26795] failed with status [1].
> 
> 
> 
> But few lines above.. I see that I was allowed in by the hbac rule.
> 
> 
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] 
> [hbac_evaluate] (0x0100): ALLOWED by rule [ipa-alluser-access].
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] 
> [hbac_evaluate] (0x0100): hbac_evaluate() >]
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] 
> [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule 
> [ipa-alluser-access]
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] 
> [dp_req_done] (0x0400): DP Request [PAM Account #12]: Request handler 
> finished [0]: Success
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] 
> [_dp_req_recv] (0x0400): DP Request [PAM Account #12]: Receiving request data.
> (Sun Feb  5 13:57:41 2017) [sssd[be[mydomain.com<http://mydomain.com/>]]] 
> [dp_req_destructor] (0x0400): DP Request [PAM Account #12]: Request removed.I 
> was allowed in per the HBAC rule
> 
> 
> Not sure whats blocking me..
> 
> 
> Thanks
> Rakesh
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to