With the “allow all” HBAC rule enabled, we have no trouble logging in to any
machine via ssh. When we disable the “allow all” rule and make specific
per-machine rules (as per the idea of ‘host based’ in HBAC), we get
unpredictable results, primarily resulting in an inability to login via ssh.
This result is intermittent – sometimes we can login, but sometimes we can’t.
HBAC has been created and appears fine on server
[root@vmpr-linuxidm ~]# ipa hbactest --user="pmci\ellul jason"
--host=emts-facs.unix.petermac.org.au --service=ssh
Access granted: True
Matched rules: ad_users
Matched rules: allow_all
Matched rules: FACS Computing
Not matched rules: Computing Cluster
Using the allow_all HBAC all users can log in fine but if we disable it users
can no longer always login. When the user tries to log in we see the following
on the host sssd logs:
[sssd[be[unix.petermac.org.au]]] [sdap_parse_entry] (0x1000): OriginalDN:
[ipaUniqueID=34fb2be6-2137-11e6-9853-005056b00bfd,cn=hbac,dc=unix,dc=petermac,dc=org,dc=au].
[sssd[be[unix.petermac.org.au]]] [sdap_get_generic_op_finished] (0x0400):
Search result: Success(0), no errmsg set
[sssd[be[unix.petermac.org.au]]] [hbac_attrs_to_rule] (0x1000): Processing rule
[ad_users]
[sssd[be[unix.petermac.org.au]]] [hbac_user_attrs_to_rule] (0x1000): Processing
users for rule [ad_users]
[sssd[be[unix.petermac.org.au]]] [hbac_service_attrs_to_rule] (0x1000):
Processing PAM services for rule [ad_users]
[sssd[be[unix.petermac.org.au]]] [hbac_get_category] (0x0200): Category is set
to 'all'.
[sssd[be[unix.petermac.org.au]]] [hbac_thost_attrs_to_rule] (0x1000):
Processing target hosts for rule [ad_users]
[sssd[be[unix.petermac.org.au]]] [hbac_get_category] (0x0200): Category is set
to 'all'.
[sssd[be[unix.petermac.org.au]]] [hbac_shost_attrs_to_rule] (0x0400):
Processing source hosts for rule [ad_users]
[sssd[be[unix.petermac.org.au]]] [hbac_attrs_to_rule] (0x1000): Processing rule
[FACS Computing]
[sssd[be[unix.petermac.org.au]]] [hbac_user_attrs_to_rule] (0x1000): Processing
users for rule [FACS Computing]
[sssd[be[unix.petermac.org.au]]] [hbac_service_attrs_to_rule] (0x1000):
Processing PAM services for rule [FACS Computing]
[sssd[be[unix.petermac.org.au]]] [hbac_get_category] (0x0200): Category is set
to 'all'.
[sssd[be[unix.petermac.org.au]]] [hbac_thost_attrs_to_rule] (0x1000):
Processing target hosts for rule [FACS Computing]
[sssd[be[unix.petermac.org.au]]] [hbac_shost_attrs_to_rule] (0x0400):
Processing source hosts for rule [FACS Computing]
[sssd[be[unix.petermac.org.au]]] [hbac_eval_user_element] (0x1000): [41] groups
for [Ellul ja...@petermac.org.au]
[sssd[be[unix.petermac.org.au]]] [ipa_hbac_evaluate_rules] (0x0080): Access
denied by HBAC rules
[sssd[be[unix.petermac.org.au]]] [be_pam_handler_callback] (0x0100): Backend
returned: (0, 6, ) [Success (Permission denied)]
[sssd[be[unix.petermac.org.au]]] [be_pam_handler_callback] (0x0100): Sending
result [6][petermac.org.au]
[sssd[be[unix.petermac.org.au]]] [be_pam_handler_callback] (0x0100): Sent
result [6][petermac.org.au]
[sssd[pam]] [pam_dp_process_reply] (0x0200): received: [6 (Permission
denied)][petermac.org.au]
[sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [6]: Permission
denied.
[sssd[pam]] [pam_reply] (0x0200): blen: 32
[sssd[pam]] [client_recv] (0x0200): Client disconnected!
[sssd[nss]] [client_recv] (0x0200): Client disconnected!
Which states Access denied by HBAC rules.
On server we still see
[root@vmpr-linuxidm ~]# ipa hbactest --user="pmci\ellul jason"
--host=emts-facs.unix.petermac.org.au --service=ssh
Access granted: True
Matched rules: ad_users
Matched rules: FACS Computing
Not matched rules: Computing Cluster
[root@vmpr-linuxidm ~]# ipa hbacrule-show
Rule name: ad_users
Rule name: ad_users
Host category: all
Service category: all
Enabled: TRUE
User Groups: ad_users
[root@vmpr-linuxidm ~]# ipa hbacrule-show
Rule name: FACS Computing
Rule name: FACS Computing
Service category: all
Description: This server is running Flow Logic. Current server name is
emts-facs.unix.petermac.org.au
Enabled: TRUE
User Groups: facs-compute
Hosts: emts-facs.unix.petermac.org.au
On the host (emts-facs.unix.petermac.org.au) it shows the user is in the
correct groups: 10011(facs-compute) and 171884(ad_users) which are both
posix groups local to freeIPA
[root@emts-facs ~]# id "pmci\ellul jason"
uid=1501(jel...@petermac.org.au) gid=1501(jellul)
groups=1501(jellul),1750642900(secure file transfer
us...@petermac.org.au),10011(facs-compute),10004(bioinf-core),10005(rcf-staff),171884(ad_users)
(NB: group list truncated for brevity)
Cheers
L.
This email (including any attachments or links) may contain
confidential and/or legally privileged information and is
intended only to be read or used by the addressee. If you
are not the