On Thu, Mar 16, 2017 at 11:36:57AM +1100, Lachlan Musicman wrote:
> I'm experiencing issues with HBAC and I think it's a bug in sssd. Not sure
> if better to report to here or sssd mailing list. Also sssd in pagure is
> bare and I didn't want to sully the blank slate.  (
> https://pagure.io/sssd/issues )
> 
> The details:
> 
> env: CentOS 7.3, FreeIPA 4.4, sssd 1.15.1 from COPR
> 
> On the IPA server:
> 
> - "ipa hbactest ..." returns TRUE, so everything seems set up correctly.
> 
> 
> When I try to login to the test client, I get denied.
> 
> On the test client:
> 
>  - hbac_eval_user_element is returning a wrong value. This is seen in
> sssd_domain.log, it's returning 25. My test user is in 37 groups. This is
> seen on the IPA server via id username. On the test client id username
> returns 36 groups, the one missing is an IPA (not AD) group that was made
> for HBAC rules. I have sanitized logs available.
> 
>  -  taking ldbsearch -H /var/lib/sss/db/cache_domain.com.ldb
> '(objectclass=user)' and finding the record in question shows the same 36
> groups available. The missing group shouldn't affect ability to login via
> HBAC
> 
>  - getent group (groupname) works as expected. Also worth noting that the
> group missing from id username shows that user in getent.
> 
> For reference, on the client the sssd service was stopped, the cache
> deleted, and the service started again the night before after which the
> server wasn't accessed by anyone. I find that this is necessary for the
> cache to populate.
> 
> Should I put in a bug report against SSSD or FreeIPA?
> 
> While HBAC is in FreeIPA, I think that this is an issue in SSSD
> (specifically ?

Yes, SSSD.

I remember you had some intermittent issues in the past, is this one
reproducable?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to