On Mon, Feb 1, 2021 at 8:04 PM Rob Crittenden <rcritten@redhat.com> wrote:

Mustapha Aissat via FreeIPA-users wrote:
> Hi all,
>
>
> I'm facing some problems with connecting AD user to Linux host via ssh.
>
>
> I already configure the trust between IPA server and AD.
>
> I create an external group "*grp_dba*" to point on AD group
>
> I create a posix group "*admindba*" that contain the external group
>
> I create a HBAC rule "*allow_dba*" to allow the group to access the host.
>
>
> I did an HBAC test and it tells me that the access is granted to the
> user. On the Client host, id, getent and even su work. but I still can't
> do an ssh!
>
>
> Can you please guide me?
>
>
> Thank you in advance.
>
>
> Here some commands that I used and logs
>
> ----------
>
> _on IPA server :_
>
>
> [root@idm01 ~]# *ipa group-show admindba*
> Group name: admindba
> GID: 336200005
> Member groups: grp_dba
> Member of HBAC rule: allow_dba
>
>
> [root@idm01 ~]# *ipa hbactest --user=admin_dba01@dz.corp
> --host=zabbix.linux.dz.corp --service=sshd*
> --------------------
> Access granted: True
> --------------------
> Matched rules: allow_dba
>
>
> _On Client host :_
>
>
> [root@zabbix ~]# *id admin_dba01@dz.corp*
> uid=1790001108(admin_dba01@dz.corp) gid=1790001108(admin_dba01@dz.corp)
> groups=1790001108(admin_dba01@dz.corp),1790000513(domain
> users@dz.corp),336200005(admindba),1790001107(grp_dba@dz.corp)
>
>
> [root@zabbix ~]# *geten admin_dba01@dz.corp*
> getenforce getent
>
>
> [root@zabbix ~]# *getent passwd admin_dba01@dz.corp*
> admin_dba01@dz.corp:*:1790001108:1790001108:admin_dba01:/home/dz.corp/admin_dba01:
>
>
> [root@zabbix ~]# *getent group admin_dba01@dz.corp*
> admin_dba01@dz.corp:*:1790001108:
>
>
> [root@zabbix ~]# *su - admin_dba01@dz.corp*
> Last login: Mon Feb 1 16:57:39 CET 2021 on pts/1
> *[admin_dba01@dz.corp@zabbix ~]$ logout*
> [root@zabbix ~]#
>
>
>
> [root@zabbix ~]# *journalctl -e*
>
> Feb 01 19:32:33 zabbix.linux.dz.corp systemd[1]: Starting SSSD Kerberos
> Cache Manager...
> Feb 01 19:32:33 zabbix.linux.dz.corp systemd[1]: Started SSSD Kerberos
> Cache Manager.
> Feb 01 19:32:33 zabbix.linux.dz.corp sssd[kcm][17086]: Starting up
> Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17083]]][17083]:
> Ticket not yet valid

Looks to me like the system is not in time sync with the KDC.

rob

> Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17083]]][17083]:
> Ticket not yet valid
> Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17087]]][17087]:
> Ticket not yet valid
> Feb 01 19:32:33 zabbix.linux.dz.corp [sssd[krb5_child[17087]]][17087]:
> Ticket not yet valid
> Feb 01 19:32:33 zabbix.linux.dz.corp sshd[17080]: pam_sss(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=192.168.122.1 user=admin_dba01@dz.corp
> Feb 01 19:32:33 zabbix.linux.dz.corp sshd[17080]: pam_sss(sshd:auth):
> received for user admin_dba01@dz.corp: 6 (Permission denied)
> Feb 01 19:32:35 zabbix.linux.dz.corp sshd[17076]: error: PAM:
> Authentication failure for admin_dba01@dz.corp from 192.168.122.1
> Feb 01 19:32:35 zabbix.linux.dz.corp sshd[17076]: Postponed
> keyboard-interactive for admin_dba01@dz.corp from 192.168.122.1 port
> 43908 ssh2 [preauth]
> Feb 01 19:32:36 zabbix.linux.dz.corp sshd[17076]: Connection closed by
> authenticating user admin_dba01@dz.corp 192.168.122.1 port 43908 [preauth]
>
>
>
> -------
>
> Best regards,
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>