Re: [Freeipa-users] sssd 1.14.1, HBAC still not working?
On Tue, Oct 11, 2016 at 03:28:55PM +1100, Lachlan Musicman wrote: > After further testing, I've discovered that the dev system wasn't working > as well as I thought it was: HBAC and sshd don't seem to be playing well > together on one server, but fine on the other? > > ie, I can run the same commands from both ipa-server and ipa-client: > > ipa hbactest --user=user1 --host=ipa-server.unixdev.petermac.org.au > --service=sshd > ipa hbactest --user=user1 --host=ipa-client.unixdev.petermac.org.au > --service=sshd > > > and every response is: > > to the ipa-client > > Access granted: True > > Matched rules: Admin Users (w sudo) > Matched rules: Users > > to the ipa-server > > Access granted: True > > Matched rules: Cluster Admin Users (sudo) > Not matched rules: Cluster Users > > > but when I try to login to the ipa-server, I get an instance disconnect? I > can login happily to the ipa-client no problems. > > Is there a special rule about sshd and the ipa-server? No, there shouldn't be. Can you generate sssd logs on the instance that is acting up and send them to me? It's best to run date and expire the cache before the test as well: sss_cache -E; date; ssh user@host; date so that we can cross-check the logs knowing the time of the test. If you don't mind I'd like to share the logs with other SSSD developers because I think I already tried to look into this issue and couldn't find the root cause in the past, so maybe others will spot something.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd 1.14.1, HBAC still not working?
After further testing, I've discovered that the dev system wasn't working as well as I thought it was: HBAC and sshd don't seem to be playing well together on one server, but fine on the other? ie, I can run the same commands from both ipa-server and ipa-client: ipa hbactest --user=user1 --host=ipa-server.unixdev.petermac.org.au --service=sshd ipa hbactest --user=user1 --host=ipa-client.unixdev.petermac.org.au --service=sshd and every response is: to the ipa-client Access granted: True Matched rules: Admin Users (w sudo) Matched rules: Users to the ipa-server Access granted: True Matched rules: Cluster Admin Users (sudo) Not matched rules: Cluster Users but when I try to login to the ipa-server, I get an instance disconnect? I can login happily to the ipa-client no problems. Is there a special rule about sshd and the ipa-server? cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 11 October 2016 at 14:06, Lachlan Musicman wrote: > Hola, > > I've set up a test domain that's as much as possible the same as the prod > domain, and successfully got a one way trust against the AD: cantos 7.2, > ipa 4.2.0-15/api2.156, sssd (copr) 1.14.1-3 > > On that test domain I believe I have HBAC working successfully. > > Once I could show that it was working successfully on the test domain we > updated all the clients in the prod domain to sssd 1.14.1-3, updated the > IPA server, ran ipa-server-upgrade and we disabled "allow all" in the HBAC. > > And it doesn't work? Two users could login, but none of the others could, > and the sudo rules weren't applied in so much as the one user that could > login but shouldn't have had sudo, did. > > I tried stopping sssd/clearing cache/start sssd/waiting; and stopping > sssd/deleting /var/lib/sss/db/* /start sssd/waiting. > > Neither of those worked, so I enabled allow all again. > > Now I have a bunch of log files to look through, but no clear indication > of what might have gone wrong from a quick read. > > I can see in the logs where one person is ok'd by HBAC for sshd and > another two are denied - when they should have all been ok'd. And I can > infer that the reasoning is that HBAC has declared person2 + person3 to not > be in a group they most definitely are in from the error messages. But > there is no indication of why sssd hasn't properly picked up that person2 > is in the correct group? > > I guess the question is, where do I start fixing this? Which logs should I > be reading? > > What can I compare between the two set ups (dev and prod) that might give > me insight, given that they are largely set up identically? > > Cheers > L. > > > > -- > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] sssd 1.14.1, HBAC still not working?
Hola, I've set up a test domain that's as much as possible the same as the prod domain, and successfully got a one way trust against the AD: cantos 7.2, ipa 4.2.0-15/api2.156, sssd (copr) 1.14.1-3 On that test domain I believe I have HBAC working successfully. Once I could show that it was working successfully on the test domain we updated all the clients in the prod domain to sssd 1.14.1-3, updated the IPA server, ran ipa-server-upgrade and we disabled "allow all" in the HBAC. And it doesn't work? Two users could login, but none of the others could, and the sudo rules weren't applied in so much as the one user that could login but shouldn't have had sudo, did. I tried stopping sssd/clearing cache/start sssd/waiting; and stopping sssd/deleting /var/lib/sss/db/* /start sssd/waiting. Neither of those worked, so I enabled allow all again. Now I have a bunch of log files to look through, but no clear indication of what might have gone wrong from a quick read. I can see in the logs where one person is ok'd by HBAC for sshd and another two are denied - when they should have all been ok'd. And I can infer that the reasoning is that HBAC has declared person2 + person3 to not be in a group they most definitely are in from the error messages. But there is no indication of why sssd hasn't properly picked up that person2 is in the correct group? I guess the question is, where do I start fixing this? Which logs should I be reading? What can I compare between the two set ups (dev and prod) that might give me insight, given that they are largely set up identically? Cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project