Hi,
Yes, this appears to be the culprit:
sssd_unix.domain.log:(Fri Aug 21 07:17:08 2015) [sssd[be[unix.domain.com]]]
[hbac_eval_user_element] (0x2000): Skipping non-group memberOf
[CN=EITUnixAdmins,OU=UNIX,OU=ENT,OU=SecGroups,DC=na,DC=domain,DC=lan]
Thanks,
Josh
> -----Original Message-----
> From: Pavel Reichl [mailto:preichl@redhat.com]
> Sent: Friday, August 21, 2015 8:51 AM
> To: sssd-users(a)lists.fedorahosted.org
> Subject: [SSSD-users]Re: Access denied by HBAC Rules
>
> On 08/21/2015 02:22 PM, Baird, Josh wrote:
>> Hi,
>>
>> I have a situation where an IPA/sssd client is not allowing an AD trusted
> user to login, even though HBAC rules allow the user:
>> (Thu Aug 20 15:15:50 2015) [sssd[be[unix.domain.com]]]
>> [hbac_attrs_to_rule] (0x1000): Processing rule [allow_eitunixadmins]
>> (Thu Aug 20 15:15:50 2015) [sssd[be[unix.domain.com]]]
>> [hbac_user_attrs_to_rule] (0x1000): Processing users for rule
>> [allow_eitunixadmins] (Thu Aug 20 15:15:50 2015)
>> [sssd[be[unix.domain.com]]] [sysdb_search_users] (0x2000): Search
>> users with filter:
>>
> (&(objectclass=user)(originalDN=cn=eitunixadmins,cn=groups,cn=accounts
>> ,dc=unix,dc=follett,dc=com)) (Thu Aug 20 15:15:50 2015)
>> [sssd[be[unix.domain.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access
>> denied by HBAC rules
>>
>> jbaird@impr-d1-dc01:~$ ipa hbactest
>> User name: jbaird(a)na.follett.lan
>> Target host:
imqa-d1-cl05.corp.domain.com
>> Service: ssh
>> --------------------
>> Access granted: True
>> --------------------
>> Matched rules: allow_eitunixadmins
>>
>> How would I go about troubleshooting this? Both client and server are
> running the newest RHEL 7.1.z packages.
>> Thanks,
>>
>> Josh
> Hello Josh,
>
> this seem to be a bug we are already working on. Users have reported that
> the problem is temporally solved when they clear sssd cache and restart
> SSSD. Could you check the logs, especially lines containing
>
> 'hbac_eval_user_element'? I would expect that when access is denied some
> groups would be missing in comparison to case when access is granted.
Actually
I would expect that when access is granted
([be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]) log would contain something like:
[hbac_eval_user_element] (0x1000): Added group [ad_group] for user [ad_user@domain]. This
line would be missing when access is denied ([ipa_hbac_evaluate_rules] (0x0080): Access
denied by HBAC rules)