I'm trying to setup an HBAC rule for allowing users from a trust to access linux servers in a FreeIPA domain. My setup:
1. rhelent.lan - FreeIPA 4.5.0-22 2. ent2k12.domain.com - AD on windows 2012r2 3. boz1 - centos7, member of rhelent.lan 4. External group ad_ext_users 5. POSIX group called hbac_access 6.. HBAC group that has the posix group hbac_access as a member 7. IPA user dvader is a member of hbac_access posix group 8. mmosley@ent2k12.domain.com is a member of ad_ext_users external group
When I login as dvader, everything works great. When I login as mmosley@ent2k12.domain.com the connection is closed. This is in /var/log/seccure:
May 19 13:43:11 box1 sshd[1398]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.8.0.2 user=mmosley@ent2k12.domain.com May 19 13:43:11 box1 sshd[1398]: pam_sss(sshd:account): Access denied for user mmosley@ent2k12.domain.com: 6 (Permission denied) May 19 13:43:11 box1 sshd[1395]: error: PAM: User account has expired for mmosley@ent2k12.domain.com from 10.8.0.2 May 19 13:43:12 box1 sshd[1395]: fatal: monitor_read: unpermitted request 104
So authentication is working, authorization is failing. Am I missing something?
Thanks Marc
On 19 May 2018, at 19:53, Marc Boorshtein via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
I'm trying to setup an HBAC rule for allowing users from a trust to access linux servers in a FreeIPA domain. My setup:
- rhelent.lan - FreeIPA 4.5.0-22
- ent2k12.domain.com - AD on windows 2012r2
- boz1 - centos7, member of rhelent.lan
- External group ad_ext_users
- POSIX group called hbac_access
6.. HBAC group that has the posix group hbac_access as a member 7. IPA user dvader is a member of hbac_access posix group 8. mmosley@ent2k12.domain.com is a member of ad_ext_users external group
When I login as dvader, everything works great. When I login as mmosley@ent2k12.domain.com the connection is closed. This is in /var/log/seccure:
May 19 13:43:11 box1 sshd[1398]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.8.0.2 user=mmosley@ent2k12.domain.com May 19 13:43:11 box1 sshd[1398]: pam_sss(sshd:account): Access denied for user mmosley@ent2k12.domain.com: 6 (Permission denied) May 19 13:43:11 box1 sshd[1395]: error: PAM: User account has expired for mmosley@ent2k12.domain.com from 10.8.0.2 May 19 13:43:12 box1 sshd[1395]: fatal: monitor_read: unpermitted request 104
So authentication is working, authorization is failing. Am I missing something?
Not from the description; the things I would look at are 1) is hbac_access printed if you run “id mmosley@ent2k12.domain.com” ? 2) bump the sssd debug level and see the groups and the rules the client is evaluating in the sssd logs.
Thanks Marc _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
freeipa-users@lists.fedorahosted.org