Issue

Access denied to linux host by ssh because of no HBAC rules founded, even if rule exist

Steps to Reproduce

1.Install freeipa-client to the host
2.Enroll host to freeipa
3. try to login to the host via ssh

Actual behavior

connection closed by remote host.

Version/Release/Distribution

Tested on Ubutnu16(freeipa-client 4.3.1), Ubuntu18(freeipa-client 4.7.0) and Fedora32(Freeipa cleint and server. Both are 4.8.10-5)

I set debug_level = 10 in sssd.conf and got such message
[ipa_pam_access_handler_done] (0x0020): No HBAC rules find, denying access

I checked rules and it exist and enabled

root@testub182:~# ldapsearch -Y GSSAPI -H ldap://ipx.example.net:389 -b 'cn=hbac,dc=example,dc=net' '(&(objectClass=ipahbacrule)(ipaEnabledFlag=TRUE))'
SASL/GSSAPI authentication started
SASL username: username@example.net
SASL SSF: 56
SASL data security layer installed.

extended LDIF

LDAPv3
base <cn=hbac,dc=example,dc=net> with scope subtree
filter: (&(objectClass=ipahbacrule)(ipaEnabledFlag=TRUE))
requesting: ALL

94339ce4-1042-11ea-889a-fa4293121f76, hbac, example.net
dn: ipaUniqueID=94339ce4-1042-11ea-889a-fa4293121f76,cn=hbac,dc=example,dc=net
objectClass: ipaassociation
objectClass: ipahbacrule
cn: allow_systemd-user
accessRuleType: allow
userCategory: all
hostCategory: all
memberService: cn=systemd-user,cn=hbacservices,cn=hbac,dc=example,dc=net
ipaEnabledFlag: TRUE
description: Allow pam_systemd to run user@.service to create a system user session
ipaUniqueID: 94339ce4-1042-11ea-889a-fa4293121f76

a1801642-f823-11ea-8f1f-fa4293121f76, hbac, example.net
dn: ipaUniqueID=a1801642-f823-11ea-8f1f-fa4293121f76,cn=hbac,dc=example,dc=net
cn: Allow ALL
accessRuleType: allow
objectClass: ipaassociation
objectClass: ipahbacrule
ipaEnabledFlag: TRUE
ipaUniqueID: a1801642-f823-11ea-8f1f-fa4293121f76
serviceCategory: all
userCategory: all
hostCategory: all
description: rule all to all

search result
search: 4
result: 0 Success

numResponses: 3
numEntries: 2