Hi all,

I'm facing some problems with connecting AD user to Linux host via ssh.

I already configure the trust between IPA server and AD.

I create an external group "grp_dba" to point on AD group

I create a posix group "admindba" that contain the external group

I create a HBAC rule "allow_dba" to allow the group to access the host.

I did an HBAC test and it tells me that the access is granted to the user. On the Client host, id, getent and even su work. but I still can't do an ssh!

Can you please guide me?

Thank you in advance.

Here some commands  that I used and logs

----------

on IPA server :

[root@idm01 ~]# ipa group-show admindba
  Group name: admindba
  GID: 336200005
  Member groups: grp_dba
  Member of HBAC rule: allow_dba

[root@idm01 ~]# ipa hbactest --user=admin_dba01@dz.corp --host=zabbix.linux.dz.corp --service=sshd
--------------------
Access granted: True
--------------------
  Matched rules: allow_dba

On Client host :

[root@zabbix ~]# id admin_dba01@dz.corp
uid=1790001108(admin_dba01@dz.corp) gid=1790001108(admin_dba01@dz.corp) groups=1790001108(admin_dba01@dz.corp),1790000513(domain users@dz.corp),336200005(admindba),1790001107(grp_dba@dz.corp)

[root@zabbix ~]# geten admin_dba01@dz.corp
getenforce  getent      

[root@zabbix ~]# getent passwd admin_dba01@dz.corp
admin_dba01@dz.corp:*:1790001108:1790001108:admin_dba01:/home/dz.corp/admin_dba01:

[root@zabbix ~]# getent group admin_dba01@dz.corp
admin_dba01@dz.corp:*:1790001108:

[root@zabbix ~]# su - admin_dba01@dz.corp
Last login: Mon Feb  1 16:57:39 CET 2021 on pts/1
[admin_dba01@dz.corp@zabbix ~]$ logout
[root@zabbix ~]#

[root@zabbix ~]# journalctl -e

Feb 01 19:32:33 zabbix.linux.dz.corp systemd[1]: Starting SSSD Kerberos Cache Manager...
Feb 01 19:32:33 zabbix.linux.dz.corp systemd[1]: Started SSSD Kerberos Cache Manager.
Feb 01 19:32:33 zabbix.linux.dz.corp sssd[kcm][17086]: Starting up
Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17083]]][17083]: Ticket not yet valid
Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17083]]][17083]: Ticket not yet valid
Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17087]]][17087]: Ticket not yet valid
Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17087]]][17087]: Ticket not yet valid
Feb 01 19:32:33 zabbix.linux.dz.corp sshd[17080]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1 user=admin_dba01@dz.corp
Feb 01 19:32:33 zabbix.linux.dz.corp sshd[17080]: pam_sss(sshd:auth): received for user admin_dba01@dz.corp: 6 (Permission denied)
Feb 01 19:32:35 zabbix.linux.dz.corp sshd[17076]: error: PAM: Authentication failure for admin_dba01@dz.corp from 192.168.122.1
Feb 01 19:32:35 zabbix.linux.dz.corp sshd[17076]: Postponed keyboard-interactive for admin_dba01@dz.corp from 192.168.122.1 port 43908 ssh2 [preauth]
Feb 01 19:32:36 zabbix.linux.dz.corp sshd[17076]: Connection closed by authenticating user admin_dba01@dz.corp 192.168.122.1 port 43908 [preauth]

-------

Best regards,