On 11 Apr 2018, at 17:26, A.Miroshnichenko(a)rtk-dc.ru wrote:
Hi,
We have AD-trusted FreeIPA environment.
I installed sssd-1.16.1 on IPA servers and client hosts.
Posix user group "ad_app_admins" mapped to app-admins@ADTrustedDomain.
Sometimes AD user fails to login on hosts. sssd can not see mapping. AD user groups show
correct for user, but POSIX user group lost.
When login success:
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_eval_user_element] (0x1000): [16] groups for [ADuser@ADTrustedDomain]
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_eval_user_element] (0x0200): Skipping non-IPA group
name=group1@ADTrustedDomain,cn=groups,cn=ADTrustedDomain,cn=sysdb
...
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_eval_user_element] (0x0200): Skipping non-IPA group
name=app-admins@ADTrustedDomain,cn=groups,cn=ADTrustedDomain,cn=sysdb
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_eval_user_element] (0x1000): Added group [ad_app_admins] for user [ADuser]
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_rule_debug_print] (0x2000): RULE [allow_admin_mgmt_hosts] [ENABLED]:
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_rule_debug_print] (0x2000): services:
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): category [0] [NONE]
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): services_names:
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): [sshd]
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): services_groups (none)
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_rule_debug_print] (0x2000): users:
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): category [0] [NONE]
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): users_names (none)
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): users_groups:
...
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): [ad_app_admins]
...
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_rule_debug_print] (0x2000): targethosts:
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): category [0] [NONE]
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): targethosts_names (none)
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): targethosts_groups:
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): [admin-mng-hosts]
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_rule_debug_print] (0x2000): srchosts:
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): category [0x1] [ALL]
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_evaluate]
(0x0100): ALLOWED by rule [allow_admin_mgmt_hosts].
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_evaluate]
(0x0100): hbac_evaluate() >]
sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]]
[ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_admin_mgmt_hosts]
========================================================
When login failed:
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_eval_user_element] (0x1000): [15] groups for [ADuser@ADTrustedDomain]
OK, here the user is missing one group membership.
But I’m not sure how to help you with this limited log snippet. Did you observe some
pattern that could help us reproduce the issue locally? Can you share the log files?
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_eval_user_element] (0x0200): Skipping non-IPA group
name=group1@ADTrustedDomain,cn=groups,cn=ADTrustedDomain,cn=sysdb
...
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_eval_user_element] (0x0200): Skipping non-IPA group
name=app-admins@ADTrustedDomain,cn=groups,cn=ADTrustedDomain,cn=sysdb
<----- There is no message "Added group
[ad_app_admins] for user [ADuser]"
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_rule_debug_print] (0x2000): RULE [allow_admin_mgmt_hosts] [ENABLED]:
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_rule_debug_print] (0x2000): services:
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): category [0] [NONE]
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): services_names:
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): [sshd]
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): services_groups (none)
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_rule_debug_print] (0x2000): users:
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): category [0] [NONE]
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): users_names (none)
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): users_groups:
...
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): [ad_app_admins]
...
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_rule_debug_print] (0x2000): targethosts:
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): category [0] [NONE]
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): targethosts_names (none)
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): targethosts_groups:
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): [admin-mng-hosts]
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_rule_debug_print] (0x2000): srchosts:
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[hbac_rule_element_debug_print] (0x2000): category [0x1] [ALL]
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_evaluate]
(0x0100): The rule [allow_admin_mgmt_hosts] did not match.
sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]]
[ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org