On 08/21/2015 02:22 PM, Baird, Josh wrote:
Hi,
I have a situation where an IPA/sssd client is not allowing an AD trusted user to login,
even though HBAC rules allow the user:
(Thu Aug 20 15:15:50 2015) [sssd[be[unix.domain.com]]] [hbac_attrs_to_rule] (0x1000):
Processing rule [allow_eitunixadmins] (Thu Aug 20 15:15:50 2015)
[sssd[be[unix.domain.com]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule
[allow_eitunixadmins] (Thu Aug 20 15:15:50 2015) [sssd[be[unix.domain.com]]]
[sysdb_search_users] (0x2000): Search users with filter:
(&(objectclass=user)(originalDN=cn=eitunixadmins,cn=groups,cn=accounts,dc=unix,dc=follett,dc=com))
(Thu Aug 20 15:15:50 2015) [sssd[be[unix.domain.com]]] [ipa_hbac_evaluate_rules]
(0x0080): Access denied by HBAC rules
jbaird@impr-d1-dc01:~$ ipa hbactest
User name: jbaird(a)na.follett.lan
Target host:
imqa-d1-cl05.corp.domain.com
Service: ssh
--------------------
Access granted: True
--------------------
Matched rules: allow_eitunixadmins
How would I go about troubleshooting this? Both client and server are running the newest
RHEL 7.1.z packages.
Thanks,
Josh
Hello Josh,
this seem to be a bug we are already working on. Users have reported
that the problem is temporally solved when they clear sssd cache and
restart SSSD. Could you check the logs, especially lines containing
'hbac_eval_user_element'? I would expect that when access is denied some groups
would be missing in comparison to case when access is granted.