Hi Rob,

That was issue. many thanks. AD server was on a different timezone.

Now it works.

BR,

On Mon, Feb 1, 2021 at 8:04 PM Rob Crittenden rcritten@redhat.com wrote:

Mustapha Aissat via FreeIPA-users wrote:

...

Hi all,

I'm facing some problems with connecting AD user to Linux host via ssh.

I already configure the trust between IPA server and AD.

I create an external group "*grp_dba*" to point on AD group

I create a posix group "*admindba*" that contain the external group

I create a HBAC rule "*allow_dba*" to allow the group to access the host.

I did an HBAC test and it tells me that the access is granted to the user. On the Client host, id, getent and even su work. but I still can't do an ssh!

Can you please guide me?

Thank you in advance.

Here some commands that I used and logs

---

_on IPA server :_

[root@idm01 ~]# *ipa group-show admindba* Group name: admindba GID: 336200005 Member groups: grp_dba Member of HBAC rule: allow_dba

[root@idm01 ~]# *ipa hbactest --user=admin_dba01@dz.corp

--host=zabbix.linux.dz.corp --service=sshd*

Access granted: True

Matched rules: allow_dba

_On Client host :_

[root@zabbix ~]# *id admin_dba01@dz.corp* uid=1790001108(admin_dba01@dz.corp) gid=1790001108(admin_dba01@dz.corp) groups=1790001108(admin_dba01@dz.corp),1790000513(domain users@dz.corp),336200005(admindba),1790001107(grp_dba@dz.corp)

[root@zabbix ~]# *geten admin_dba01@dz.corp* getenforce getent

[root@zabbix ~]# *getent passwd admin_dba01@dz.corp* admin_dba01@dz.corp

:*:1790001108:1790001108:admin_dba01:/home/dz.corp/admin_dba01:

...

[root@zabbix ~]# *getent group admin_dba01@dz.corp* admin_dba01@dz.corp:*:1790001108:

[root@zabbix ~]# *su - admin_dba01@dz.corp* Last login: Mon Feb 1 16:57:39 CET 2021 on pts/1 *[admin_dba01@dz.corp@zabbix ~]$ logout* [root@zabbix ~]#

[root@zabbix ~]# *journalctl -e*

Feb 01 19:32:33 zabbix.linux.dz.corp systemd[1]: Starting SSSD Kerberos Cache Manager... Feb 01 19:32:33 zabbix.linux.dz.corp systemd[1]: Started SSSD Kerberos Cache Manager. Feb 01 19:32:33 zabbix.linux.dz.corp sssd[kcm][17086]: Starting up Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17083]]][17083]: Ticket not yet valid

Looks to me like the system is not in time sync with the KDC.

rob

...

Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17083]]][17083]: Ticket not yet valid Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17087]]][17087]: Ticket not yet valid Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17087]]][17087]: Ticket not yet valid Feb 01 19:32:33 zabbix.linux.dz.corp sshd[17080]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1 user=admin_dba01@dz.corp Feb 01 19:32:33 zabbix.linux.dz.corp sshd[17080]: pam_sss(sshd:auth): received for user admin_dba01@dz.corp: 6 (Permission denied) Feb 01 19:32:35 zabbix.linux.dz.corp sshd[17076]: error: PAM: Authentication failure for admin_dba01@dz.corp from 192.168.122.1 Feb 01 19:32:35 zabbix.linux.dz.corp sshd[17076]: Postponed keyboard-interactive for admin_dba01@dz.corp from 192.168.122.1 port 43908 ssh2 [preauth] Feb 01 19:32:36 zabbix.linux.dz.corp sshd[17076]: Connection closed by authenticating user admin_dba01@dz.corp 192.168.122.1 port 43908

[preauth]

...

---

Best regards,

---

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

freeipa-users-leave@lists.fedorahosted.org

...

Fedora Code of Conduct:

https://docs.fedoraproject.org/en-US/project/code-of-conduct/

...

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:

https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

...