On Tue, Mar 15, 2016 at 08:41:40PM -0000, Josh England wrote:
> I have sssd doing authentication through ldap and I actually have a working 
> configuration that uses access_provider=ldap and ldap_access_filter and does 
> the right thing on CentOS 6.4.  On another system (CentOS 6.7) the exact same 
> configuration does not work.  Access is granted at all times no matter what.  
> In fact, I can put in access_provider=deny, and access is still granted.  Is 
> there some dependency that I got right on the first system that is incorrect 
> on this one?  I can post logs if needed.
> Relevant info for non-working system:

Hi,

I'm sorry, but I can't reproduce this locally. I tried with git master
from source and ipa id_provider together with deny access provider and I
was denied access as I would expect.

Also, in the logs I see:
    (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [be_req_set_domain] 
(0x0400): Changing request domain from [ipa.test] to [ipa.test]
    (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [be_pam_handler] (0x0100): 
Got request with the following data
    (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): 
command: SSS_PAM_ACCT_MGMT
    (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): 
domain: ipa.test
    (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): 
user: admin
    (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): 
service: su-l
    (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): 
tty: pts/1
    (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): 
ruser: jhrozek
    (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): 
rhost: 
    (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): 
authtok type: 0
    (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): 
newauthtok type: 0
    (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): 
priv: 0
    (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): 
cli_pid: 7244
    (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [pam_print_data] (0x0100): 
logon name: not set
    (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [be_pam_handler_callback] 
(0x0100): Backend returned: (0, 6, <NULL>) [Success]
    (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [be_pam_handler_callback] 
(0x0100): Sending result [6][ipa.test]
    (Wed Mar 16 08:42:16 2016) [sssd[be[ipa.test]]] [be_pam_handler_callback] 
(0x0100): Sent result [6][ipa.test]

What do you see in /var/log/secure or the journal with your config? Is
pam_sss present in the pam stack's account stack?
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/admin/lists/[email protected]

Reply via email to