On 18/09/2023 14:19, Ole Froslie via FreeIPA-users wrote:
Scenario 2: User : test2 is not a member of testusergroup anymore and should not be granted access to the test server. This also works as expected, when logging in with correct password, test2 is denied service with message "Connection closed by ...." This is great, but I would like to see this happening in the log: The log looks like this:
[...]
In this log, I see the same AS_REQ as expected with no failure, since I am using correct password , and the same kind of TGS_REQ
My question is: When FreeIPA is handling the service authorization through the use of HBAC rules, why does it issue a similar TGS? Or is it different?, How does the actual authorization fail between the client and the server/service itself? Is it the content of the TGS ?
Kerberos deals with the question of authentication: determining the identity of a client.
HBAC deals with the question of authorization: is the client allowed to SSH into a server?
I know I can see failed login in the logs of the server it self, but I would like to see everything that goes on in the FreeIPA logs.
It's up to SSSD, running on the server itself, to evaluate HBAC rules. So any messages logged when HBAC denies access by a client to a server have to be logged on the server itself.