Re: [Freeipa-users] Help with debugging HBACs
Thank you for the reply Sumit - I will look into updating the version of
sssd. If that doesn't work, I will also try adding the
'sourceHostCategory' attribute to rules. Though, I would imagine I would
have to do this for *all* rules if I want them to work as intended. I'll
report back my findings tomorrow.
Thanks,
-Andrew
On Mon, Feb 16, 2015 at 12:40 AM, Sumit Bose sb...@redhat.com wrote:
On Sat, Feb 14, 2015 at 12:52:10PM -0800, Andrew Egelhofer wrote:
Hi FreeIPA Users-
I've deployed a FreeIPA instance in my Lab, and enrolled a single host,
and
a single user ('testuser'). The only HBAC rule I currently have is the
stock allow_all. Yet, when I attempt to log into the host via ssh, it
closes the connection.
$ ssh testuser@host
Warning: Permanently added 'host,host-ip' (RSA) to the list of known
hosts.
testuser@host's password:
Connection closed by host-ip
The host I'm attempting to login to can correctly look up the user using
getent:
# getent passwd testuser
testuser:*:16843:16843:Test User:/home/testuser:/bin/bash
Scanning /var/log/secure, I see these entries:
Feb 14 12:01:50 host sshd[6528]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.30.3.58
user=testuser
Feb 14 12:01:51 host sshd[6528]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=172.30.3.58 user=testuser
Feb 14 12:01:51 host sshd[6528]: pam_sss(sshd:account): Access denied
for
user testuser: 6 (Permission denied)
That tells me (From reading online) the user / password was correctly
authenticated, but failed authorization due to HBAC rules. I've tested
the
rule using the 'hbactest' utility and it passes
[root@Master ~]# ipa hbactest --user=testuser --host=host
--service=sshd
Access granted: True
Matched rules: allow_all
I'm at a loss here, because If I comment out the line:
account [default=bad success=ok user_unknown=ignore] pam_sss.so
in /etc/pam.d/system-auth, the user is able to login.
So what am I missing here? Is there a way I can debug HBAC rules? I've
already set debug_level = 10 in /etc/sssd/sssd.conf, and I see its able
to
access the HBAC 'allow_all' rule in the log
/var/log/sssd/sssd_domain.dc
.log:
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[sdap_get_generic_done] (7): Total count [0]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_attrs_to_rule]
(7): Processing rule [allow_all]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_user_attrs_to_rule] (7): Processing users for rule [allow_all]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category]
(5): Category is set to 'all'.
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_service_attrs_to_rule] (7): Processing PAM services for rule
[allow_all]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category]
(5): Category is set to 'all'.
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_thost_attrs_to_rule] (7): Processing target hosts for rule
[allow_all]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category]
(5): Category is set to 'all'.
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_shost_attrs_to_rule] (7): Processing source hosts for rule
[allow_all]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_host_attrs_to_rule] (4): No host specified, rule will never apply.
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (7): [12] groups for [admin]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (7): Added group [admins] for user [admin]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=replication
administrators,cn=privileges,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=add
replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=modify
replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=remove
replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=host
enrollment,cn=privileges,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=manage host
keytab,cn=permissions,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=enroll a
Re: [Freeipa-users] Help with debugging HBACs
On Sat, Feb 14, 2015 at 12:52:10PM -0800, Andrew Egelhofer wrote:
Hi FreeIPA Users-
I've deployed a FreeIPA instance in my Lab, and enrolled a single host, and
a single user ('testuser'). The only HBAC rule I currently have is the
stock allow_all. Yet, when I attempt to log into the host via ssh, it
closes the connection.
$ ssh testuser@host
Warning: Permanently added 'host,host-ip' (RSA) to the list of known
hosts.
testuser@host's password:
Connection closed by host-ip
The host I'm attempting to login to can correctly look up the user using
getent:
# getent passwd testuser
testuser:*:16843:16843:Test User:/home/testuser:/bin/bash
Scanning /var/log/secure, I see these entries:
Feb 14 12:01:50 host sshd[6528]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.30.3.58
user=testuser
Feb 14 12:01:51 host sshd[6528]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=172.30.3.58 user=testuser
Feb 14 12:01:51 host sshd[6528]: pam_sss(sshd:account): Access denied for
user testuser: 6 (Permission denied)
That tells me (From reading online) the user / password was correctly
authenticated, but failed authorization due to HBAC rules. I've tested the
rule using the 'hbactest' utility and it passes
[root@Master ~]# ipa hbactest --user=testuser --host=host --service=sshd
Access granted: True
Matched rules: allow_all
I'm at a loss here, because If I comment out the line:
account [default=bad success=ok user_unknown=ignore] pam_sss.so
in /etc/pam.d/system-auth, the user is able to login.
So what am I missing here? Is there a way I can debug HBAC rules? I've
already set debug_level = 10 in /etc/sssd/sssd.conf, and I see its able to
access the HBAC 'allow_all' rule in the log /var/log/sssd/sssd_domain.dc
.log:
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[sdap_get_generic_done] (7): Total count [0]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_attrs_to_rule]
(7): Processing rule [allow_all]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_user_attrs_to_rule] (7): Processing users for rule [allow_all]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category]
(5): Category is set to 'all'.
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_service_attrs_to_rule] (7): Processing PAM services for rule
[allow_all]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category]
(5): Category is set to 'all'.
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_thost_attrs_to_rule] (7): Processing target hosts for rule [allow_all]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category]
(5): Category is set to 'all'.
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_shost_attrs_to_rule] (7): Processing source hosts for rule [allow_all]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_host_attrs_to_rule] (4): No host specified, rule will never apply.
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (7): [12] groups for [admin]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (7): Added group [admins] for user [admin]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=replication
administrators,cn=privileges,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=add
replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=modify
replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=remove
replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=host
enrollment,cn=privileges,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=manage host
keytab,cn=permissions,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=enroll a
host,cn=permissions,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=add
krbprincipalname to a host,cn=permissions,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=unlock user
accounts,cn=permissions,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf
[Freeipa-users] Help with debugging HBACs
Hi FreeIPA Users-
I've deployed a FreeIPA instance in my Lab, and enrolled a single host, and
a single user ('testuser'). The only HBAC rule I currently have is the
stock allow_all. Yet, when I attempt to log into the host via ssh, it
closes the connection.
$ ssh testuser@host
Warning: Permanently added 'host,host-ip' (RSA) to the list of known
hosts.
testuser@host's password:
Connection closed by host-ip
The host I'm attempting to login to can correctly look up the user using
getent:
# getent passwd testuser
testuser:*:16843:16843:Test User:/home/testuser:/bin/bash
Scanning /var/log/secure, I see these entries:
Feb 14 12:01:50 host sshd[6528]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.30.3.58
user=testuser
Feb 14 12:01:51 host sshd[6528]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=172.30.3.58 user=testuser
Feb 14 12:01:51 host sshd[6528]: pam_sss(sshd:account): Access denied for
user testuser: 6 (Permission denied)
That tells me (From reading online) the user / password was correctly
authenticated, but failed authorization due to HBAC rules. I've tested the
rule using the 'hbactest' utility and it passes
[root@Master ~]# ipa hbactest --user=testuser --host=host --service=sshd
Access granted: True
Matched rules: allow_all
I'm at a loss here, because If I comment out the line:
account [default=bad success=ok user_unknown=ignore] pam_sss.so
in /etc/pam.d/system-auth, the user is able to login.
So what am I missing here? Is there a way I can debug HBAC rules? I've
already set debug_level = 10 in /etc/sssd/sssd.conf, and I see its able to
access the HBAC 'allow_all' rule in the log /var/log/sssd/sssd_domain.dc
.log:
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[sdap_get_generic_done] (7): Total count [0]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_attrs_to_rule]
(7): Processing rule [allow_all]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_user_attrs_to_rule] (7): Processing users for rule [allow_all]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category]
(5): Category is set to 'all'.
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_service_attrs_to_rule] (7): Processing PAM services for rule
[allow_all]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category]
(5): Category is set to 'all'.
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_thost_attrs_to_rule] (7): Processing target hosts for rule [allow_all]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category]
(5): Category is set to 'all'.
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_shost_attrs_to_rule] (7): Processing source hosts for rule [allow_all]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_host_attrs_to_rule] (4): No host specified, rule will never apply.
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (7): [12] groups for [admin]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (7): Added group [admins] for user [admin]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=replication
administrators,cn=privileges,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=add
replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=modify
replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=remove
replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=host
enrollment,cn=privileges,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=manage host
keytab,cn=permissions,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=enroll a
host,cn=permissions,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=add
krbprincipalname to a host,cn=permissions,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=unlock user
accounts,cn=permissions,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (8): Skipping non-group memberOf [cn=manage
service keytab,cn=permissions,cn=pbac,dc=domain,dc=dc]
(Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
[hbac_eval_user_element] (7): Added group [trust admins] for
