subject:"\[Freeipa\-users\] Inconsistant results with HBAC and SSH\?"

Re: [Freeipa-users] Inconsistant results with HBAC and SSH?

2016-05-27 Thread Jakub Hrozek

On Fri, May 27, 2016 at 01:10:40AM +, Simpson Lachlan wrote:
> > With the “allow all” HBAC rule enabled, we have no trouble logging in to any
> > machine via ssh. When we disable the “allow all” rule and make specific per-
> > machine rules (as per the idea of ‘host based’ in HBAC), we get 
> > unpredictable
> > results, primarily resulting in an inability to login via ssh. This result 
> > is intermittent
> > – sometimes we can login, but sometimes we can’t.
> 
> One noted way to "break" the HBAC is a long period of inactivity in that 
> shell.

Typically, this is because of issues in group membership for that user.
Does id report all the groups the user should be a member of?

With recent enough SSSD, the hbac evaluator prints more verbose debug
messages (down to the individual elements of HBAC rules) to see why
exactly the rules didn't match.

There were fixes in the latest 7.2.z IPA update to help fix a problem
with the same AD group being a member of multiple IPA external groups,
maybe that would fix your problem.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Inconsistant results with HBAC and SSH?

2016-05-26 Thread Simpson Lachlan

> With the “allow all” HBAC rule enabled, we have no trouble logging in to any
> machine via ssh. When we disable the “allow all” rule and make specific per-
> machine rules (as per the idea of ‘host based’ in HBAC), we get unpredictable
> results, primarily resulting in an inability to login via ssh. This result is 
> intermittent
> – sometimes we can login, but sometimes we can’t.

One noted way to "break" the HBAC is a long period of inactivity in that shell.

Cheers
L.
This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Inconsistant results with HBAC and SSH?

2016-05-26 Thread Simpson Lachlan

With the “allow all” HBAC rule enabled, we have no trouble logging in to any 
machine via ssh. When we disable the “allow all” rule and make specific 
per-machine rules (as per the idea of ‘host based’ in HBAC), we get 
unpredictable results, primarily resulting in an inability to login via ssh. 
This result is intermittent – sometimes we can login, but sometimes we can’t.



HBAC has been created and appears fine on server
[root@vmpr-linuxidm ~]# ipa hbactest --user="pmci\ellul jason" 
--host=emts-facs.unix.petermac.org.au --service=ssh

Access granted: True

  Matched rules: ad_users
  Matched rules: allow_all
  Matched rules: FACS Computing
  Not matched rules: Computing Cluster


Using the allow_all HBAC all users can log in fine but if we disable it users 
can no longer always login. When the user tries to log in we see the following 
on the host sssd logs:

[sssd[be[unix.petermac.org.au]]] [sdap_parse_entry] (0x1000): OriginalDN: 
[ipaUniqueID=34fb2be6-2137-11e6-9853-005056b00bfd,cn=hbac,dc=unix,dc=petermac,dc=org,dc=au].
[sssd[be[unix.petermac.org.au]]] [sdap_get_generic_op_finished] (0x0400): 
Search result: Success(0), no errmsg set
[sssd[be[unix.petermac.org.au]]] [hbac_attrs_to_rule] (0x1000): Processing rule 
[ad_users]
[sssd[be[unix.petermac.org.au]]] [hbac_user_attrs_to_rule] (0x1000): Processing 
users for rule [ad_users]
[sssd[be[unix.petermac.org.au]]] [hbac_service_attrs_to_rule] (0x1000): 
Processing PAM services for rule [ad_users]
[sssd[be[unix.petermac.org.au]]] [hbac_get_category] (0x0200): Category is set 
to 'all'.
[sssd[be[unix.petermac.org.au]]] [hbac_thost_attrs_to_rule] (0x1000): 
Processing target hosts for rule [ad_users]
[sssd[be[unix.petermac.org.au]]] [hbac_get_category] (0x0200): Category is set 
to 'all'.
[sssd[be[unix.petermac.org.au]]] [hbac_shost_attrs_to_rule] (0x0400): 
Processing source hosts for rule [ad_users]
[sssd[be[unix.petermac.org.au]]] [hbac_attrs_to_rule] (0x1000): Processing rule 
[FACS Computing]
[sssd[be[unix.petermac.org.au]]] [hbac_user_attrs_to_rule] (0x1000): Processing 
users for rule [FACS Computing]
[sssd[be[unix.petermac.org.au]]] [hbac_service_attrs_to_rule] (0x1000): 
Processing PAM services for rule [FACS Computing]
[sssd[be[unix.petermac.org.au]]] [hbac_get_category] (0x0200): Category is set 
to 'all'.
[sssd[be[unix.petermac.org.au]]] [hbac_thost_attrs_to_rule] (0x1000): 
Processing target hosts for rule [FACS Computing]
[sssd[be[unix.petermac.org.au]]] [hbac_shost_attrs_to_rule] (0x0400): 
Processing source hosts for rule [FACS Computing]
[sssd[be[unix.petermac.org.au]]] [hbac_eval_user_element] (0x1000): [41] groups 
for [Ellul ja...@petermac.org.au]
[sssd[be[unix.petermac.org.au]]] [ipa_hbac_evaluate_rules] (0x0080): Access 
denied by HBAC rules
[sssd[be[unix.petermac.org.au]]] [be_pam_handler_callback] (0x0100): Backend 
returned: (0, 6, ) [Success (Permission denied)]
[sssd[be[unix.petermac.org.au]]] [be_pam_handler_callback] (0x0100): Sending 
result [6][petermac.org.au]
[sssd[be[unix.petermac.org.au]]] [be_pam_handler_callback] (0x0100): Sent 
result [6][petermac.org.au]
[sssd[pam]] [pam_dp_process_reply] (0x0200): received: [6 (Permission 
denied)][petermac.org.au]
[sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [6]: Permission 
denied.
[sssd[pam]] [pam_reply] (0x0200): blen: 32
[sssd[pam]] [client_recv] (0x0200): Client disconnected!
[sssd[nss]] [client_recv] (0x0200): Client disconnected!


Which states Access denied by HBAC rules.

On server we still see
[root@vmpr-linuxidm ~]# ipa hbactest --user="pmci\ellul jason" 
--host=emts-facs.unix.petermac.org.au --service=ssh

Access granted: True

  Matched rules: ad_users
  Matched rules: FACS Computing
  Not matched rules: Computing Cluster

[root@vmpr-linuxidm ~]# ipa hbacrule-show
Rule name: ad_users   
  Rule name: ad_users
  Host category: all
  Service category: all
  Enabled: TRUE
  User Groups: ad_users

[root@vmpr-linuxidm ~]# ipa hbacrule-show
Rule name: FACS Computing
  Rule name: FACS Computing
  Service category: all
  Description: This server is running Flow Logic. Current server name is 
emts-facs.unix.petermac.org.au
  Enabled: TRUE
  User Groups: facs-compute
  Hosts: emts-facs.unix.petermac.org.au


On the host (emts-facs.unix.petermac.org.au) it shows the user is in the 
correct groups: 10011(facs-compute) and 171884(ad_users) which are both 
posix groups local to freeIPA

[root@emts-facs ~]# id "pmci\ellul jason"
uid=1501(jel...@petermac.org.au) gid=1501(jellul) 
groups=1501(jellul),1750642900(secure file transfer 
us...@petermac.org.au),10011(facs-compute),10004(bioinf-core),10005(rcf-staff),171884(ad_users)
 (NB: group list truncated for brevity)

Cheers
L.
This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the

Re: [Freeipa-users] Inconsistant results with HBAC and SSH?

Re: [Freeipa-users] Inconsistant results with HBAC and SSH?

[Freeipa-users] Inconsistant results with HBAC and SSH?

3 matches

Site Navigation

Mail list logo

Footer information