On Sun, Feb 05, 2017 at 07:47:43PM +0530, Rakesh Rajasekharan wrote:
> Hi,
> 
> I am running a freeipa server version 4.4.0 and have setup hbac rules which
> work fine
> 
> However, just on one single host , I am seeing this issue wherein it is not
> allowing me ssh access.
> When I check my hbac permissions.. it say access granted but on trying to
> login.. it blocks me
> 
> On the Freeipa server
> ipa hbactest --user=p-testhbac --host=>my-test-host> --service=sshd
> 
> --------------------
> Access granted: True
> --------------------
>   Matched rules: ipa-alluser-access
>   Not matched rules: ipa-alluser-sudo-access
> 
> On the client I get this message while doing an ssh "Connection closed by
> 10.0.30.28".
> 
> In /var/log/secure I see these messages
> Feb  5 13:57:41 10 sshd[26692]: pam_sss(sshd:auth): authentication success;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.4.6 user=p-testhbac
> Feb  5 13:57:41 10 sshd[26692]: pam_sss(sshd:account): Access denied for
> user p-testhbac: 4 (System error)

If SSSD throws a System Error, you really need to look into SSSD's logs
-- System Error is kind of an unhandled exception in SSSD's code.

> Feb  5 13:57:41 10 sshd[26692]: Failed password for p-testhbac from
> 10.0.4.6 port 40540 ssh2

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to