Frank Bergmann via FreeIPA-users wrote: > On Tue, Oct 28, 2025 at 10:34:46AM -0400, Rob Crittenden via FreeIPA-users > wrote: >> Frank Bergmann via FreeIPA-users wrote: >>> Hi, >>> >>> I had an issue that an account was not allowed to login to a host. >>> A call of hbactest with given user/host/service did show "granted >>> false". >>> With specifying the rule with "--rules=backup-backup" it did show >>> "granted true". >>> Checking the output of the first hbactest run it did show "Configured >>> size limit exceeded". >>> Then I set searchrecordslimit to -1 and the issue was gone, the account >>> could login to the host. >>> >>> Am I missing something or is this a bug? >>> >>> details: ipa-server-4.9.13-20 RPM and 102 hbacrules >> >> The default search size limit is 100 and you have 102 rules. You can >> either increase the limit, which will affect all searches, or try >> passing the limit with the hbactest command. >> >> I don't recommend setting it to -1. > > Hi Rob, > > thank you. > But hbactest was not the actual issue (I know option --sizelimit). > hbactest did just "show" me that we have more than 100 rules. > The issue was that the login didn't work. And after removing the limit > the login did work.
I don't believe that SSSD relied on this limit, it should only be for calls to the IPA API by IPA. SSSD also does heavy caching of HBAC and SUDO rules so maybe that was involved. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
