On Fri, Aug 02, 2013 at 12:55:12PM -0500, KodaK wrote:
> First, before we go any further: is it supported to use
> sssd when the client machines domain differs from
> the realm name? If not, then the rest of this is moot.
>
> Client box is a RHEL 5.something. I didn't do "ipa-client-install"
> because I wanted to configure by hand as a test. The client
> box has a DNS name of stlmoracsbx01.domain.com, and the
> realm is UNIX.DOMAIN.COM
>
> I've configured the box with sssd, and I can log in with my personal
> credentials because I have a wide-open rule for admins.
>
> I've created a simple rule for a test user, and it's not working.
>
> [xxx@slpidml01 ~]$ ipa hbacrule-show stlmoracsbx01-access
> Rule name: stlmoracsbx01-access
> Source host category: all
> Service category: all
> Enabled: TRUE
> Users: testuser
> Hosts: stlmoracsbx01.domain.com
>
> However:
>
> [xxx@slpidml01 ~]$ ipa hbactest --user=testuser
> --host=stlmoracsbx01.domain.com --service=sshd
> -
> Access granted: False
> -
>
> And my access:
>
> [xxx@slpidml01 ~]$ ipa hbactest --user=xxx
> --host=stlmoracsbx01.domain.com --service=sshd
>
> Access granted: True
>
> Matched rules: admin access
>
> I also tried opening that host up to everyone:
>
> [jebalicki@slpidml01 ~]$ ipa hbacrule-show stlmoracsbx01-access
>
> Rule name: stlmoracsbx01-access
> User category: all
> Source host category: all
> Service category: all
> Enabled: TRUE
> Hosts: stlmoracsbx01.domain.com
>
> But the rule fails.
>
> I thought maybe there might be something with the user "testuser", so
> I tried another
> user and I still get a failure.
>
> Any ideas would be appreciated.
First I think this is not a general issue. I did a quick test which
worked as expected:
[root@ipa18-devel ~]# ipa hbacrule-show abc-test
Rule name: abc-test
User category: all
Service category: all
Enabled: TRUE
Hosts: abc.def
[root@ipa18-devel ~]# ipa hbactest --user=qgwe --host=abc.def
--service=wced
Access granted: True
Matched rules: abc-test
[root@ipa18-devel ~]# ipa hbactest --user=qgwe --host=abc.defx
--service=wced
-
Access granted: False
-
Not matched rules: abc-test
Which version of FreeIPA are you using on the server? Maybe the sssd
logs at a high debug level will give more details why the access is
denied you you try to log in with ssh as testuser on
stlmoracsbx01.domain.com.
bye,
Sumit
>
> --
> The government is going to read our mail anyway, might as well make it
> tough for them. GPG Public key ID: B6A1A7C6
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users