subject:"Re\: \[Freeipa\-users\] sssd 1.14.1, HBAC still not working\?"

Re: [Freeipa-users] sssd 1.14.1, HBAC still not working?

2016-10-11 Thread Jakub Hrozek

On Tue, Oct 11, 2016 at 03:28:55PM +1100, Lachlan Musicman wrote:
> After further testing, I've discovered that the dev system wasn't working
> as well as I thought it was: HBAC and sshd don't seem to be playing well
> together on one server, but fine on the other?
> 
> ie, I can run the same commands from both ipa-server and ipa-client:
> 
> ipa hbactest  --user=user1 --host=ipa-server.unixdev.petermac.org.au
> --service=sshd
> ipa hbactest  --user=user1 --host=ipa-client.unixdev.petermac.org.au
> --service=sshd
> 
> 
> and every response is:
> 
> to the ipa-client
> 
> Access granted: True
> 
>   Matched rules: Admin Users (w sudo)
>   Matched rules: Users
> 
> to the ipa-server
> 
> Access granted: True
> 
>   Matched rules: Cluster Admin Users (sudo)
>   Not matched rules: Cluster Users
> 
> 
> but when I try to login to the ipa-server, I get an instance disconnect? I
> can login happily to the ipa-client no problems.
> 
> Is there a special rule about sshd and the ipa-server?

No, there shouldn't be. Can you generate sssd logs on the instance that
is acting up and send them to me? It's best to run date and expire the
cache before the test as well:
sss_cache -E; date; ssh user@host; date
so that we can cross-check the logs knowing the time of the test. If you
don't mind I'd like to share the logs with other SSSD developers because
I think I already tried to look into this issue and couldn't find the root
cause in the past, so maybe others will spot something..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd 1.14.1, HBAC still not working?

2016-10-10 Thread Lachlan Musicman

After further testing, I've discovered that the dev system wasn't working
as well as I thought it was: HBAC and sshd don't seem to be playing well
together on one server, but fine on the other?

ie, I can run the same commands from both ipa-server and ipa-client:

ipa hbactest  --user=user1 --host=ipa-server.unixdev.petermac.org.au
--service=sshd
ipa hbactest  --user=user1 --host=ipa-client.unixdev.petermac.org.au
--service=sshd


and every response is:

to the ipa-client

Access granted: True

  Matched rules: Admin Users (w sudo)
  Matched rules: Users

to the ipa-server

Access granted: True

  Matched rules: Cluster Admin Users (sudo)
  Not matched rules: Cluster Users


but when I try to login to the ipa-server, I get an instance disconnect? I
can login happily to the ipa-client no problems.

Is there a special rule about sshd and the ipa-server?

cheers
L.


--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 11 October 2016 at 14:06, Lachlan Musicman  wrote:

> Hola,
>
> I've set up a test domain that's as much as possible the same as the prod
> domain, and successfully got a one way trust against the AD: cantos 7.2,
> ipa 4.2.0-15/api2.156, sssd (copr) 1.14.1-3
>
> On that test domain I believe I have HBAC working successfully.
>
> Once I could show that it was working successfully on the test domain we
> updated all the clients in the prod domain to sssd 1.14.1-3, updated the
> IPA server, ran ipa-server-upgrade and we disabled "allow all" in the HBAC.
>
> And it doesn't work? Two users could login, but none of the others could,
> and the sudo rules weren't applied in so much as the one user that could
> login but shouldn't have had sudo, did.
>
> I tried stopping sssd/clearing cache/start sssd/waiting; and stopping
> sssd/deleting /var/lib/sss/db/* /start sssd/waiting.
>
> Neither of those worked, so I enabled allow all again.
>
> Now I have a bunch of log files to look through, but no clear indication
> of what might have gone wrong from a quick read.
>
> I can see in the logs where one person is ok'd by HBAC for sshd and
> another two are denied - when they should have all been ok'd. And I can
> infer that the reasoning is that HBAC has declared person2 + person3 to not
> be in a group they most definitely are in from the error messages. But
> there is no indication of why sssd hasn't properly picked up that person2
> is in the correct group?
>
> I guess the question is, where do I start fixing this? Which logs should I
> be reading?
>
> What can I compare between the two set ups (dev and prod) that might give
> me insight, given that they are largely set up identically?
>
> Cheers
> L.
>
>
>
> --
> The most dangerous phrase in the language is, "We've always done it this
> way."
>
> - Grace Hopper
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd 1.14.1, HBAC still not working?

Re: [Freeipa-users] sssd 1.14.1, HBAC still not working?

2 matches

Site Navigation

Mail list logo

Footer information