Lachlan Musicman
2017-03-16 00:36:57 UTC
I'm experiencing issues with HBAC and I think it's a bug in sssd. Not sure
if better to report to here or sssd mailing list. Also sssd in pagure is
bare and I didn't want to sully the blank slate. (
https://pagure.io/sssd/issues )
The details:
env: CentOS 7.3, FreeIPA 4.4, sssd 1.15.1 from COPR
On the IPA server:
- "ipa hbactest ..." returns TRUE, so everything seems set up correctly.
When I try to login to the test client, I get denied.
On the test client:
- hbac_eval_user_element is returning a wrong value. This is seen in
sssd_domain.log, it's returning 25. My test user is in 37 groups. This is
seen on the IPA server via id username. On the test client id username
returns 36 groups, the one missing is an IPA (not AD) group that was made
for HBAC rules. I have sanitized logs available.
- taking ldbsearch -H /var/lib/sss/db/cache_domain.com.ldb
'(objectclass=user)' and finding the record in question shows the same 36
groups available. The missing group shouldn't affect ability to login via
HBAC
- getent group (groupname) works as expected. Also worth noting that the
group missing from id username shows that user in getent.
For reference, on the client the sssd service was stopped, the cache
deleted, and the service started again the night before after which the
server wasn't accessed by anyone. I find that this is necessary for the
cache to populate.
Should I put in a bug report against SSSD or FreeIPA?
While HBAC is in FreeIPA, I think that this is an issue in SSSD
(specifically ?
cheers
L.
------
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
if better to report to here or sssd mailing list. Also sssd in pagure is
bare and I didn't want to sully the blank slate. (
https://pagure.io/sssd/issues )
The details:
env: CentOS 7.3, FreeIPA 4.4, sssd 1.15.1 from COPR
On the IPA server:
- "ipa hbactest ..." returns TRUE, so everything seems set up correctly.
When I try to login to the test client, I get denied.
On the test client:
- hbac_eval_user_element is returning a wrong value. This is seen in
sssd_domain.log, it's returning 25. My test user is in 37 groups. This is
seen on the IPA server via id username. On the test client id username
returns 36 groups, the one missing is an IPA (not AD) group that was made
for HBAC rules. I have sanitized logs available.
- taking ldbsearch -H /var/lib/sss/db/cache_domain.com.ldb
'(objectclass=user)' and finding the record in question shows the same 36
groups available. The missing group shouldn't affect ability to login via
HBAC
- getent group (groupname) works as expected. Also worth noting that the
group missing from id username shows that user in getent.
For reference, on the client the sssd service was stopped, the cache
deleted, and the service started again the night before after which the
server wasn't accessed by anyone. I find that this is necessary for the
cache to populate.
Should I put in a bug report against SSSD or FreeIPA?
While HBAC is in FreeIPA, I think that this is an issue in SSSD
(specifically ?
cheers
L.
------
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper