Hi Jakub!


I share the logs web link with you in personal message.


Both ipa client and ipa server logs are collected with "debug_level=10".

Issue time is Apr 11 14:15:09.

От: Jakub Hrozek <jhrozek@redhat.com>
Отправлено: 11 апреля 2018 г. 21:49:28
Кому: End-user discussions about the System Security Services Daemon
Тема: [SSSD-users] Re: sssd-1.16.1 loses POSIX group mapped from AD trusted domain
 


> On 11 Apr 2018, at 17:26, A.Miroshnichenko@rtk-dc.ru wrote:
>
> Hi,
>
> We have AD-trusted FreeIPA environment.
> I installed sssd-1.16.1 on IPA servers and client hosts.
> Posix user group "ad_app_admins" mapped to app-admins@ADTrustedDomain.
> Sometimes AD user fails to login on hosts. sssd can not see mapping. AD user groups show correct for user, but POSIX user group lost.
>
> When login success:
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_eval_user_element] (0x1000): [16] groups for [ADuser@ADTrustedDomain]
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_eval_user_element] (0x0200): Skipping non-IPA group name=group1@ADTrustedDomain,cn=groups,cn=ADTrustedDomain,cn=sysdb
> ...
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_eval_user_element] (0x0200): Skipping non-IPA group name=app-admins@ADTrustedDomain,cn=groups,cn=ADTrustedDomain,cn=sysdb
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_eval_user_element] (0x1000): Added group [ad_app_admins] for user [ADuser]
>
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_debug_print] (0x2000):         RULE [allow_admin_mgmt_hosts] [ENABLED]:
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_debug_print] (0x2000):         services:
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                 category [0] [NONE]
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                 services_names:
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                         [sshd]
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                 services_groups (none)
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_debug_print] (0x2000):         users:
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                 category [0] [NONE]
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                 users_names (none)
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                 users_groups:
> ...
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                         [ad_app_admins]
> ...
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_debug_print] (0x2000):         targethosts:
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                 category [0] [NONE]
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                 targethosts_names (none)
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                 targethosts_groups:
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                         [admin-mng-hosts]
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_debug_print] (0x2000):         srchosts:
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                 category [0x1] [ALL]
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_evaluate] (0x0100): ALLOWED by rule [allow_admin_mgmt_hosts].
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_evaluate] (0x0100): hbac_evaluate() >]
> sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_admin_mgmt_hosts]
>
> ========================================================
>
> When login failed:
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_eval_user_element] (0x1000): [15] groups for [ADuser@ADTrustedDomain]

OK, here the user is missing one group membership.

But I’m not sure how to help you with this limited log snippet. Did you observe some pattern that could help us reproduce the issue locally? Can you share the log files?

> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_eval_user_element] (0x0200): Skipping non-IPA group name=group1@ADTrustedDomain,cn=groups,cn=ADTrustedDomain,cn=sysdb
> ...
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_eval_user_element] (0x0200): Skipping non-IPA group name=app-admins@ADTrustedDomain,cn=groups,cn=ADTrustedDomain,cn=sysdb
>                                    <----- There is no message "Added group [ad_app_admins] for user [ADuser]"
>
>
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_debug_print] (0x2000):         RULE [allow_admin_mgmt_hosts] [ENABLED]:
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_debug_print] (0x2000):         services:
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                 category [0] [NONE]
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                 services_names:
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                         [sshd]
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                 services_groups (none)
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_debug_print] (0x2000):         users:
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                 category [0] [NONE]
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                 users_names (none)
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                 users_groups:
> ...
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                         [ad_app_admins]
> ...
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_debug_print] (0x2000):         targethosts:
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                 category [0] [NONE]
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                 targethosts_names (none)
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                 targethosts_groups:
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                         [admin-mng-hosts]
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_debug_print] (0x2000):         srchosts:
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000):                 category [0x1] [ALL]
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_evaluate] (0x0100): The rule [allow_admin_mgmt_hosts] did not match.
>
> sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules
>
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org