We are transitioning from one IPA instance to a new IPA instance. The version of IPA instances is the same, and all is functioning normally on the existing IPA, but when I attempt to transition a host to the new IPA instance, I get the following in my logs when I attempt an SSH ..
[sssd[be[dev.ca1.sfmc.co]]] [hbac_get_category] (5): Category is set to 'all'. [sssd[be[dev.ca1.sfmc.co]]] [hbac_get_category] (5): Category is set to 'all'. [sssd[be[dev.ca1.sfmc.co]]] [hbac_host_attrs_to_rule] (4): No host specified, rule will never apply. [sssd[be[dev.ca1.sfmc.co]]] [hbac_get_category] (5): Category is set to 'all'. [sssd[be[dev.ca1.sfmc.co]]] [hbac_host_attrs_to_rule] (4): No host specified, rule will never apply. [sssd[be[dev.ca1.sfmc.co]]] [ipa_hbac_evaluate_rules] (3): Access denied by HBAC rules [sssd[be[dev.ca1.sfmc.co]]] [be_pam_handler_callback] (4): Backend returned: (0, 6, <NULL>) [Success] The HBAC rule, according to the test, will grant me access since I'm in the appropriate group Rule name: hbac_techops Host category: all Service category: all Description: TechOps Access Enabled: TRUE User Groups: ug-techops I'm not sure what "No host specified, rule will never apply" means. I attempted to add the host to the rule rather than use a hostgroup, but the result is the same Server - RH 6.4, ipa-server-3.0.0-37.el6.x86_64 Client - Ubuntu 10, sssd 1.5.15-0ubuntu6~lucid2 sssd.conf [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = dev.ca1.sfmc.co [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/dev.ca1.sfmc.co] debug_level = 5 enumerate = true cache_credentials = true id_provider = ipa auth_provider = ipa chpass_provider = ipa access_provider = ipa krb5_store_password_if_offline = True ipa_server = _srv_ ldap_tls_cacert = /etc/ipa/ca.crt krb5_realm = SFMC.CO krb5_changepw_principle = kadmin/changepw krb5_auth_timeout = 15 ipa_hostname = vm3118.dev.ca1.sfmc.co -- Terry Soucy - Systems Engineer Salesforce MarketingCloud - http://www.salesforce.com (o) 506.631.7445 (c) 506.609.3247 | (e) tso...@salesforce.com
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users