On Thu, Mar 16, 2017 at 11:36:57AM +1100, Lachlan Musicman wrote: > I'm experiencing issues with HBAC and I think it's a bug in sssd. Not sure > if better to report to here or sssd mailing list. Also sssd in pagure is > bare and I didn't want to sully the blank slate. ( > https://pagure.io/sssd/issues ) > > The details: > > env: CentOS 7.3, FreeIPA 4.4, sssd 1.15.1 from COPR > > On the IPA server: > > - "ipa hbactest ..." returns TRUE, so everything seems set up correctly. > > > When I try to login to the test client, I get denied. > > On the test client: > > - hbac_eval_user_element is returning a wrong value. This is seen in > sssd_domain.log, it's returning 25. My test user is in 37 groups. This is > seen on the IPA server via id username. On the test client id username > returns 36 groups, the one missing is an IPA (not AD) group that was made > for HBAC rules. I have sanitized logs available. > > - taking ldbsearch -H /var/lib/sss/db/cache_domain.com.ldb > '(objectclass=user)' and finding the record in question shows the same 36 > groups available. The missing group shouldn't affect ability to login via > HBAC > > - getent group (groupname) works as expected. Also worth noting that the > group missing from id username shows that user in getent. > > For reference, on the client the sssd service was stopped, the cache > deleted, and the service started again the night before after which the > server wasn't accessed by anyone. I find that this is necessary for the > cache to populate. > > Should I put in a bug report against SSSD or FreeIPA? > > While HBAC is in FreeIPA, I think that this is an issue in SSSD > (specifically ?
Yes, SSSD. I remember you had some intermittent issues in the past, is this one reproducable? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project