> On 19 May 2018, at 19:53, Marc Boorshtein via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > I'm trying to setup an HBAC rule for allowing users from a trust to > access linux servers in a FreeIPA domain. My setup: > > 1. rhelent.lan - FreeIPA 4.5.0-22 > 2. ent2k12.domain.com - AD on windows 2012r2 > 3. boz1 - centos7, member of rhelent.lan > 4. External group ad_ext_users > 5. POSIX group called hbac_access > 6.. HBAC group that has the posix group hbac_access as a member > 7. IPA user dvader is a member of hbac_access posix group > 8. mmos...@ent2k12.domain.com is a member of ad_ext_users external group > > When I login as dvader, everything works great. When I login as > mmos...@ent2k12.domain.com the connection is closed. This is in > /var/log/seccure: > > May 19 13:43:11 box1 sshd[1398]: pam_sss(sshd:auth): authentication > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.8.0.2 > user=mmos...@ent2k12.domain.com > May 19 13:43:11 box1 sshd[1398]: pam_sss(sshd:account): Access denied > for user mmos...@ent2k12.domain.com: 6 (Permission denied) > May 19 13:43:11 box1 sshd[1395]: error: PAM: User account has expired > for mmos...@ent2k12.domain.com from 10.8.0.2 > May 19 13:43:12 box1 sshd[1395]: fatal: monitor_read: unpermitted request 104 > > So authentication is working, authorization is failing. Am I missing > something?
Not from the description; the things I would look at are 1) is hbac_access printed if you run “id mmos...@ent2k12.domain.com” ? 2) bump the sssd debug level and see the groups and the rules the client is evaluating in the sssd logs. > > Thanks > Marc > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/NJV4OM4DAMWEB6OVYHJUGS5ZVCKIX35P/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/L3EFYCS5RERLUMET2I5KKLYYD5QFNN6A/
