[SSSD-users] sssd-1.16.1 loses POSIX group mapped from AD trusted domain

Wed, 11 Apr 2018 08:27:06 -0700 

Hi,

We have AD-trusted FreeIPA environment.
I installed sssd-1.16.1 on IPA servers and client hosts.
Posix user group "ad_app_admins" mapped to app-admins@ADTrustedDomain.
Sometimes AD user fails to login on hosts. sssd can not see mapping. AD user 
groups show correct for user, but POSIX user group lost.

When login success:
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_eval_user_element] (0x1000): [16] groups for [ADuser@ADTrustedDomain]
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_eval_user_element] (0x0200): Skipping non-IPA group 
name=group1@ADTrustedDomain,cn=groups,cn=ADTrustedDomain,cn=sysdb
...
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_eval_user_element] (0x0200): Skipping non-IPA group 
name=app-admins@ADTrustedDomain,cn=groups,cn=ADTrustedDomain,cn=sysdb
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_eval_user_element] (0x1000): Added group [ad_app_admins] for user [ADuser]

sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_debug_print] (0x2000):         RULE [allow_admin_mgmt_hosts] 
[ENABLED]:
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_debug_print] (0x2000):         services:
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                 category [0] [NONE]
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                 services_names:
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                         [sshd]
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                 services_groups (none)
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_debug_print] (0x2000):         users:
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                 category [0] [NONE]
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                 users_names (none)
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                 users_groups:
...
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                         
[ad_app_admins]
...
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_debug_print] (0x2000):         targethosts:
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                 category [0] [NONE]
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                 targethosts_names 
(none)
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                 targethosts_groups:
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                         
[admin-mng-hosts]
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_debug_print] (0x2000):         srchosts:
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                 category [0x1] [ALL]
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_evaluate] (0x0100): ALLOWED by rule [allow_admin_mgmt_hosts].
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[hbac_evaluate] (0x0100): hbac_evaluate() >]
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] 
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule 
[allow_admin_mgmt_hosts]

========================================================

When login failed:
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_eval_user_element] (0x1000): [15] groups for [ADuser@ADTrustedDomain]
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_eval_user_element] (0x0200): Skipping non-IPA group 
name=group1@ADTrustedDomain,cn=groups,cn=ADTrustedDomain,cn=sysdb
...
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_eval_user_element] (0x0200): Skipping non-IPA group 
name=app-admins@ADTrustedDomain,cn=groups,cn=ADTrustedDomain,cn=sysdb
                                    <----- There is no message "Added group 
[ad_app_admins] for user [ADuser]" 


sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_debug_print] (0x2000):         RULE [allow_admin_mgmt_hosts] 
[ENABLED]:
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_debug_print] (0x2000):         services:
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                 category [0] [NONE]
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                 services_names:
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                         [sshd]
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                 services_groups (none)
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_debug_print] (0x2000):         users:
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                 category [0] [NONE]
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                 users_names (none)
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                 users_groups:
...
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                         
[ad_app_admins]
...
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_debug_print] (0x2000):         targethosts:
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                 category [0] [NONE]
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                 targethosts_names 
(none)
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                 targethosts_groups:
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                         
[admin-mng-hosts]
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_debug_print] (0x2000):         srchosts:
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_rule_element_debug_print] (0x2000):                 category [0x1] [ALL]
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[hbac_evaluate] (0x0100): The rule [allow_admin_mgmt_hosts] did not match.

sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] 
[ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

Reply via email to