Access denied to linux host by ssh because of no HBAC rules founded, even if rule exist
1.Install freeipa-client to the host 2.Enroll host to freeipa 3. try to login to the host via ssh
connection closed by remote host.
Tested on Ubutnu16(freeipa-client 4.3.1), Ubuntu18(freeipa-client 4.7.0) and Fedora32(Freeipa cleint and server. Both are 4.8.10-5)
I set debug_level = 10 in sssd.conf and got such message [ipa_pam_access_handler_done] (0x0020): No HBAC rules find, denying access
I checked rules and it exist and enabled
root@testub182:~# ldapsearch -Y GSSAPI -H ldap://ipx.example.net:389 -b 'cn=hbac,dc=example,dc=net' '(&(objectClass=ipahbacrule)(ipaEnabledFlag=TRUE))' SASL/GSSAPI authentication started SASL username: username@example.net SASL SSF: 56 SASL data security layer installed.
extended LDIF
LDAPv3 base <cn=hbac,dc=example,dc=net> with scope subtree filter: (&(objectClass=ipahbacrule)(ipaEnabledFlag=TRUE)) requesting: ALL
94339ce4-1042-11ea-889a-fa4293121f76, hbac, example.net dn: ipaUniqueID=94339ce4-1042-11ea-889a-fa4293121f76,cn=hbac,dc=example,dc=net objectClass: ipaassociation objectClass: ipahbacrule cn: allow_systemd-user accessRuleType: allow userCategory: all hostCategory: all memberService: cn=systemd-user,cn=hbacservices,cn=hbac,dc=example,dc=net ipaEnabledFlag: TRUE description: Allow pam_systemd to run user@.service to create a system user session ipaUniqueID: 94339ce4-1042-11ea-889a-fa4293121f76
a1801642-f823-11ea-8f1f-fa4293121f76, hbac, example.net dn: ipaUniqueID=a1801642-f823-11ea-8f1f-fa4293121f76,cn=hbac,dc=example,dc=net cn: Allow ALL accessRuleType: allow objectClass: ipaassociation objectClass: ipahbacrule ipaEnabledFlag: TRUE ipaUniqueID: a1801642-f823-11ea-8f1f-fa4293121f76 serviceCategory: all userCategory: all hostCategory: all description: rule all to all
search result search: 4 result: 0 Success
numResponses: 3 numEntries: 2
Please do not use issue reporting system to debug your deployment. Project's issue system is used to track development progress. Instead, please use freeipa-users@ or sssd-users@ mailing lists to navigate through deployment problems.
As far as I can see, there is nothing broken on IPA server side itself. You are dealing with something on the client side.
I am closing this issue.
Metadata Update from @abbra: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.