and here is my sssd debug log from client side http://pastebin.com/ud2q3FR5
On Sat, Apr 30, 2016 at 10:06 AM, Ben .T.George <bentech4...@gmail.com> wrote: > Hi > > Adding this this. > > in AD i habe added 2 users , ben and jude. In my HBAC rule, i pointed this > specific external group and (were these users) > > but while checking the rule from IPA server using hbactest, both users > test passes and showing one rol. but in actual only ben can able to login > to client machine , while jude cannot. > > [root@freeipa ~]# ipa hbactest --user *b...@kwttestdc.com.kw > <b...@kwttestdc.com.kw>* --host client.kwttestdc.com.kw --service sshd > -------------------- > *Access granted: True* > -------------------- > Matched rules: test_admins > Not matched rules: ad_can_login > Not matched rules: local_admin_can_login > [root@freeipa ~]# ipa hbactest --user* j...@kwttestdc.com.kw > <j...@kwttestdc.com.kw>* --host client.kwttestdc.com.kw --service sshd > -------------------- > *Access granted: True* > -------------------- > Matched rules: test_admins > Not matched rules: ad_can_login > Not matched rules: local_admin_can_login > > so my hbac is working partially. How can i fix this. > > Regards, > Ben > > On Fri, Apr 29, 2016 at 7:27 PM, Ben .T.George <bentech4...@gmail.com> > wrote: > >> surprisingly i have created some local IPA users and added to same HBAC >> rule, and removed AD grop ad applied this rule to client, and that got >> worked. >> >> How can i make this AD group with HBAC working? >> >> Regards, >> Ben >> >> On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George <bentech4...@gmail.com> >> wrote: >> >>> HI >>> >>> If i disable allow_all <https://freeipa.idm.local/ipa/ui/#allow_all> rule, >>> i cannot able to login to client machine. >>> >>> On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George <bentech4...@gmail.com> >>> wrote: >>> >>>> HI >>>> >>>> actually i have added Domain Admins and the user ben is not part of >>>> Domain Admins. But when i login to client machine, i am getting below >>>> >>>> -sh-4.2$ id >>>> uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104( >>>> b...@kwttestdc.com.kw) groups=1827801104(b...@kwttestdc.com.kw >>>> ),1827800513(*domain us...@kwttestdc.com.kw >>>> <us...@kwttestdc.com.kw>*),1827801105(sudo >>>> adm...@kwttestdc.com.kw) >>>> >>>> >>>> >>>> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George <bentech4...@gmail.com> >>>> wrote: >>>> >>>>> HI >>>>> >>>>> while explaning here it went wrong. actually i did is" >>>>> Added external group to POSIX group" >>>>> >>>>> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhro...@redhat.com> >>>>> wrote: >>>>> >>>>>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: >>>>>> > HI, >>>>>> > >>>>>> > "The other is that the groups might not show up on the client (do >>>>>> they?)" >>>>>> >>>>>> id $user. >>>>>> >>>>>> But I think Alexander noticed the root cause. >>>>>> >>>>>> > >>>>>> > how can i check that. >>>>>> > >>>>>> > Thanks >>>>>> > Ben >>>>>> > >>>>>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhro...@redhat.com> >>>>>> wrote: >>>>>> > >>>>>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: >>>>>> > > > Hi List, >>>>>> > > > >>>>>> > > > I have working setup of one AD, one IPA server and one client >>>>>> server. by >>>>>> > > > default i can login to client server by using AD username. >>>>>> > > > >>>>>> > > > i want to apply HBAC rules against this client server. For that >>>>>> i have >>>>>> > > done >>>>>> > > > below steps. >>>>>> > > > >>>>>> > > > 1. created External group in IPA erver >>>>>> > > > 2. created local POSIX group n IPA server >>>>>> > > > 3. Added AD group to external group >>>>>> > > > 4. added POSIX group to external group. >>>>>> > > > >>>>>> > > > After that have created HBAC rule by adding both local and >>>>>> external IPA >>>>>> > > > groups, added sshd as service and selected service group as >>>>>> sudo. >>>>>> > > > >>>>>> > > > i have applied this HBAC rule to client server and from web UI >>>>>> and while >>>>>> > > > testing HBAC from web, i am getting access denied . >>>>>> > > >>>>>> > > Sorry, not enough info. >>>>>> > > >>>>>> > > One guess would be that you need to add the "sudo-i" service as >>>>>> well. >>>>>> > > The other is that the groups might not show up on the client (do >>>>>> they?) >>>>>> > > >>>>>> > > Anyway, it might be good idea to follow >>>>>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting >>>>>> > > >>>>>> > > -- >>>>>> > > Manage your subscription for the Freeipa-users mailing list: >>>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> > > Go to http://freeipa.org for more info on the project >>>>>> > > >>>>>> >>>>> >>>>> >>>> >>> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project