Hi,
Yes, this appears to be the culprit:
sssd_unix.domain.log:(Fri Aug 21 07:17:08 2015) [sssd[be[unix.domain.com]]]
[hbac_eval_user_element] (0x2000): Skipping non-group memberOf
[CN=EITUnixAdmins,OU=UNIX,OU=ENT,OU=SecGroups,DC=na,DC=domain,DC=lan]
Thanks,
Josh
-----Original Message-----
From: Pavel Reichl [mailto:preichl@redhat.com]
Sent: Friday, August 21, 2015 8:51 AM
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users]Re: Access denied by HBAC Rules
On 08/21/2015 02:22 PM, Baird, Josh wrote:
> Hi,
>
> I have a situation where an IPA/sssd client is not allowing an AD trusted
user to login, even though HBAC rules allow the user:
>
> (Thu Aug 20 15:15:50 2015) [sssd[be[unix.domain.com]]]
> [hbac_attrs_to_rule] (0x1000): Processing rule [allow_eitunixadmins]
> (Thu Aug 20 15:15:50 2015) [sssd[be[unix.domain.com]]]
> [hbac_user_attrs_to_rule] (0x1000): Processing users for rule
> [allow_eitunixadmins] (Thu Aug 20 15:15:50 2015)
> [sssd[be[unix.domain.com]]] [sysdb_search_users] (0x2000): Search
> users with filter:
>
(&(objectclass=user)(originalDN=cn=eitunixadmins,cn=groups,cn=accounts
> ,dc=unix,dc=follett,dc=com)) (Thu Aug 20 15:15:50 2015)
> [sssd[be[unix.domain.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access
> denied by HBAC rules
>
> jbaird@impr-d1-dc01:~$ ipa hbactest
> User name: jbaird(a)na.follett.lan
> Target host:
imqa-d1-cl05.corp.domain.com
> Service: ssh
> --------------------
> Access granted: True
> --------------------
> Matched rules: allow_eitunixadmins
>
> How would I go about troubleshooting this? Both client and server are
running the newest RHEL 7.1.z packages.
>
> Thanks,
>
> Josh
Hello Josh,
this seem to be a bug we are already working on. Users have reported that
the problem is temporally solved when they clear sssd cache and restart
SSSD. Could you check the logs, especially lines containing
'hbac_eval_user_element'? I would expect that when access is denied some
groups would be missing in comparison to case when access is granted.