On 22 May 2018, at 10:43, Sergei Gerasenko pagure@pagure.io wrote:
=20
=20
gerases reported a new issue against the project: sssd that you are =
following:
` Hi, =20 I've got a mystery problem with an IPA user (let's call it *user A*) = who doesn't have a password and does *not* belong to an HBAC rule. This = is a role account for some automation I would like to use. =20 I log in with that user using ssh and GSSAPI based on the user's = keytab. Setting the debug level to0x3ff0shows that after checking = the user's groups, sssd just prints a message about opening a PAM = session. No messages about *why* he was granted. =20 When I log in as another user that does belong to an HBAC rule, I see = messages like this: =20Access granted by HBAC rule [SOME_RULE_NAME]`
=20
How can I see why the user A was granted ssh access without an HBAC =
rule?

If you set the debug level to a higher level you will see all the rules =
evaluated in detail. (setting the debug level to 10 will give you maybe =
even more info than you hoped for =E2=80=A6)

``
=20
To reply, visit the link below or just reply to this email
https://pagure.io/SSSD/sssd/issue/3745

I've set it to 10 and I do see a lot more output, but still no messages about which HBAC rule allowed the user access. It looks like hbac is just skipped? For other users I see: hbac_rule_element_debug_print lines followed by pam_print_data. For this user, I just see pam_print_data at the end of the login. Nothing about HBAC.

To make HBAC rules work the service, sshd in this case, must call the needed PAM calls.

Please check if 'UsePAM' is set to 'yes' in /etc/ssh/sshd_config and that pam_sss is called in the 'account' part of sshd PAM configuration, e.g. /etc/pam.d/sshd.

UsePAM is set to yes and pam_sss is used in the account section of pam configs. Note, HBAC rules are consulted for all other users I've tried.

Is there by chance a local user with the same name which shortcuts the PAM checks?

I found the reason!!!

The account line of the pam file has a sufficient rule based on the uid range. And so HBAC logic was completely skipped for that user since its UID fell in the range.

Mystery solved. Thank you, @sbose, for clueing me in on the fact that HBAC logic is turned on in the account portion of PAM.

Woot, woot! I can now go to bed :)

:), good night, I'll close the ticket.

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4753

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.