Mustapha Aissat via FreeIPA-users wrote:
Hi all,
I'm facing some problems with connecting AD user to Linux host via ssh.
I already configure the trust between IPA server and AD.
I create an external group "*grp_dba*" to point on AD group
I create a posix group "*admindba*" that contain the external group
I create a HBAC rule "*allow_dba*" to allow the group to access the host.
I did an HBAC test and it tells me that the access is granted to the
user. On the Client host, id, getent and even su work. but I still can't
do an ssh!
Can you please guide me?
Thank you in advance.
Here some commands that I used and logs
----------
_on IPA server :_
[root@idm01 ~]# *ipa group-show admindba*
Group name: admindba
GID: 336200005
Member groups: grp_dba
Member of HBAC rule: allow_dba
[root@idm01 ~]# *ipa hbactest --user=admin_dba01(a)dz.corp
--host=zabbix.linux.dz.corp --service=sshd*
--------------------
Access granted: True
--------------------
Matched rules: allow_dba
_On Client host :_
[root@zabbix ~]# *id admin_dba01(a)dz.corp*
uid=1790001108(admin_dba01(a)dz.corp) gid=1790001108(admin_dba01(a)dz.corp)
groups=1790001108(admin_dba01(a)dz.corp),1790000513(domain
users@dz.corp),336200005(admindba),1790001107(grp_dba(a)dz.corp)
[root@zabbix ~]# *geten admin_dba01(a)dz.corp*
getenforce getent
[root@zabbix ~]# *getent passwd admin_dba01(a)dz.corp*
admin_dba01@dz.corp:*:1790001108:1790001108:admin_dba01:/home/dz.corp/admin_dba01:
[root@zabbix ~]# *getent group admin_dba01(a)dz.corp*
admin_dba01@dz.corp:*:1790001108:
[root@zabbix ~]# *su - admin_dba01(a)dz.corp*
Last login: Mon Feb 1 16:57:39 CET 2021 on pts/1
*[admin_dba01@dz.corp(a)zabbix ~]$ logout*
[root@zabbix ~]#
[root@zabbix ~]# *journalctl -e*
Feb 01 19:32:33 zabbix.linux.dz.corp systemd[1]: Starting SSSD Kerberos
Cache Manager...
Feb 01 19:32:33 zabbix.linux.dz.corp systemd[1]: Started SSSD Kerberos
Cache Manager.
Feb 01 19:32:33 zabbix.linux.dz.corp sssd[kcm][17086]: Starting up
Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17083]]][17083]:
Ticket not yet valid
Looks to me like the system is not in time sync with the KDC.
rob
Feb 01 19:32:33 zabbix.linux.dz.corp
[sssd[krb5_child[17083]]][17083]:
Ticket not yet valid
Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17087]]][17087]:
Ticket not yet valid
Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17087]]][17087]:
Ticket not yet valid
Feb 01 19:32:33 zabbix.linux.dz.corp sshd[17080]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.122.1 user=admin_dba01(a)dz.corp
Feb 01 19:32:33 zabbix.linux.dz.corp sshd[17080]: pam_sss(sshd:auth):
received for user admin_dba01(a)dz.corp: 6 (Permission denied)
Feb 01 19:32:35 zabbix.linux.dz.corp sshd[17076]: error: PAM:
Authentication failure for admin_dba01(a)dz.corp from 192.168.122.1
Feb 01 19:32:35 zabbix.linux.dz.corp sshd[17076]: Postponed
keyboard-interactive for admin_dba01(a)dz.corp from 192.168.122.1 port
43908 ssh2 [preauth]
Feb 01 19:32:36 zabbix.linux.dz.corp sshd[17076]: Connection closed by
authenticating user admin_dba01(a)dz.corp 192.168.122.1 port 43908 [preauth]
-------
Best regards,
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...