Re: [Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1
On Fri, Mar 17, 2017 at 08:35:42AM +1100, Lachlan Musicman wrote: > Which logs do you want from the server? NSS and domain -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1
Which logs do you want from the server? -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 16 March 2017 at 20:09, Jakub Hrozekwrote: > On Thu, Mar 16, 2017 at 07:56:58PM +1100, Lachlan Musicman wrote: > > Yes. What I do would you like? Current debug levels are at 8 > > Logs and id output from the server and the client at the same time.. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1
On Thu, Mar 16, 2017 at 07:56:58PM +1100, Lachlan Musicman wrote: > Yes. What I do would you like? Current debug levels are at 8 Logs and id output from the server and the client at the same time.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1
Yes. What I do would you like? Current debug levels are at 8 L. On 16 Mar. 2017 7:06 pm, "Jakub Hrozek"wrote: > On Thu, Mar 16, 2017 at 11:36:57AM +1100, Lachlan Musicman wrote: > > I'm experiencing issues with HBAC and I think it's a bug in sssd. Not > sure > > if better to report to here or sssd mailing list. Also sssd in pagure is > > bare and I didn't want to sully the blank slate. ( > > https://pagure.io/sssd/issues ) > > > > The details: > > > > env: CentOS 7.3, FreeIPA 4.4, sssd 1.15.1 from COPR > > > > On the IPA server: > > > > - "ipa hbactest ..." returns TRUE, so everything seems set up correctly. > > > > > > When I try to login to the test client, I get denied. > > > > On the test client: > > > > - hbac_eval_user_element is returning a wrong value. This is seen in > > sssd_domain.log, it's returning 25. My test user is in 37 groups. This is > > seen on the IPA server via id username. On the test client id username > > returns 36 groups, the one missing is an IPA (not AD) group that was made > > for HBAC rules. I have sanitized logs available. > > > > - taking ldbsearch -H /var/lib/sss/db/cache_domain.com.ldb > > '(objectclass=user)' and finding the record in question shows the same 36 > > groups available. The missing group shouldn't affect ability to login via > > HBAC > > > > - getent group (groupname) works as expected. Also worth noting that the > > group missing from id username shows that user in getent. > > > > For reference, on the client the sssd service was stopped, the cache > > deleted, and the service started again the night before after which the > > server wasn't accessed by anyone. I find that this is necessary for the > > cache to populate. > > > > Should I put in a bug report against SSSD or FreeIPA? > > > > While HBAC is in FreeIPA, I think that this is an issue in SSSD > > (specifically ? > > Yes, SSSD. > > I remember you had some intermittent issues in the past, is this one > reproducable? > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1
On Thu, Mar 16, 2017 at 11:36:57AM +1100, Lachlan Musicman wrote: > I'm experiencing issues with HBAC and I think it's a bug in sssd. Not sure > if better to report to here or sssd mailing list. Also sssd in pagure is > bare and I didn't want to sully the blank slate. ( > https://pagure.io/sssd/issues ) > > The details: > > env: CentOS 7.3, FreeIPA 4.4, sssd 1.15.1 from COPR > > On the IPA server: > > - "ipa hbactest ..." returns TRUE, so everything seems set up correctly. > > > When I try to login to the test client, I get denied. > > On the test client: > > - hbac_eval_user_element is returning a wrong value. This is seen in > sssd_domain.log, it's returning 25. My test user is in 37 groups. This is > seen on the IPA server via id username. On the test client id username > returns 36 groups, the one missing is an IPA (not AD) group that was made > for HBAC rules. I have sanitized logs available. > > - taking ldbsearch -H /var/lib/sss/db/cache_domain.com.ldb > '(objectclass=user)' and finding the record in question shows the same 36 > groups available. The missing group shouldn't affect ability to login via > HBAC > > - getent group (groupname) works as expected. Also worth noting that the > group missing from id username shows that user in getent. > > For reference, on the client the sssd service was stopped, the cache > deleted, and the service started again the night before after which the > server wasn't accessed by anyone. I find that this is necessary for the > cache to populate. > > Should I put in a bug report against SSSD or FreeIPA? > > While HBAC is in FreeIPA, I think that this is an issue in SSSD > (specifically ? Yes, SSSD. I remember you had some intermittent issues in the past, is this one reproducable? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] HBAC not working, freeipa 4.4, sssd 1.15.1
I'm experiencing issues with HBAC and I think it's a bug in sssd. Not sure if better to report to here or sssd mailing list. Also sssd in pagure is bare and I didn't want to sully the blank slate. ( https://pagure.io/sssd/issues ) The details: env: CentOS 7.3, FreeIPA 4.4, sssd 1.15.1 from COPR On the IPA server: - "ipa hbactest ..." returns TRUE, so everything seems set up correctly. When I try to login to the test client, I get denied. On the test client: - hbac_eval_user_element is returning a wrong value. This is seen in sssd_domain.log, it's returning 25. My test user is in 37 groups. This is seen on the IPA server via id username. On the test client id username returns 36 groups, the one missing is an IPA (not AD) group that was made for HBAC rules. I have sanitized logs available. - taking ldbsearch -H /var/lib/sss/db/cache_domain.com.ldb '(objectclass=user)' and finding the record in question shows the same 36 groups available. The missing group shouldn't affect ability to login via HBAC - getent group (groupname) works as expected. Also worth noting that the group missing from id username shows that user in getent. For reference, on the client the sssd service was stopped, the cache deleted, and the service started again the night before after which the server wasn't accessed by anyone. I find that this is necessary for the cache to populate. Should I put in a bug report against SSSD or FreeIPA? While HBAC is in FreeIPA, I think that this is an issue in SSSD (specifically ? cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project