subject:"\[Freeipa\-users\] HBAC Troubleshooting \(IPA 4.2\)"

Re: [Freeipa-users] HBAC Troubleshooting (IPA 4.2)

2016-11-01 Thread Jake

Details: 
ipa-client-install --version 
4.2.0 

sssd --version 
1.13.0 

krb5-config --version 
Kerberos 5 release 1.13.2 

cat /etc/redhat-release 
CentOS Linux release 7.2.1511 (Core) 

I hope this helps, also can I disable the allow-all rule per-host? 

Thanks, 
Jake 


From: "Lachlan Musicman"  
Cc: "freeipa-users"  
Sent: Tuesday, November 1, 2016 7:04:45 PM 
Subject: Re: [Freeipa-users] HBAC Troubleshooting (IPA 4.2) 

Jake, 

I've seen this behaviour and am still struggling to find a solution. 

The version of underlying OS and sssd are useful to know fwiw. 

To trouble shoot HBAC: 

- in *target machine* sssd.conf, add debug_level=7 to each stanza (can go as 
high as 9, but I believe 7 will be sufficient) 
- restart sssd 
- clear logs in /var/log/sssd/ either by deleting or by logrotate 
- make an attempt to login/perform allowed action that gets denied 
- read logs to see what happened 
- I like to run `ipa hbactest --user= --host= --service` on the IPA node to 
confirm that the HBAC rules are correct 
- I sometimes also install ipa-tools on the target host and confirm that the 
above command gives same and correct answer 
- note that successful results from this command may not translate to 
successful application of HBAC on the target host in reality. 



cheers 
L. 


-- 
The most dangerous phrase in the language is, "We've always done it this way." 

- Grace Hopper 

On 2 November 2016 at 09:41, Jake < [ mailto:free...@jacobdevans.com | 
free...@jacobdevans.com ] > wrote: 



Hey All, 
I'm having some issues tracing HBAC policies, it seems whenever I disable the 
allow_all policy, I'm no longer able to access services I have allowed in my 
more-specific hbac policy. 

What are the troubleshooting steps (logs) I can run on the client to see what 
is being denied and by what policy, Is this all done with sssd? 

Thank You, 
-Jake 


-- 
Manage your subscription for the Freeipa-users mailing list: 
[ https://www.redhat.com/mailman/listinfo/freeipa-users | 
https://www.redhat.com/mailman/listinfo/freeipa-users ] 
Go to [ http://freeipa.org/ | http://freeipa.org ] for more info on the project 





-- 
Manage your subscription for the Freeipa-users mailing list: 
https://www.redhat.com/mailman/listinfo/freeipa-users 
Go to http://freeipa.org for more info on the project 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC Troubleshooting (IPA 4.2)

2016-11-01 Thread Lachlan Musicman

Jake,

I've seen this behaviour and am still struggling to find a solution.

The version of underlying OS and sssd are useful to know fwiw.

To trouble shoot HBAC:

 - in *target machine* sssd.conf, add debug_level=7 to each stanza (can go
as high as 9, but I believe 7 will be sufficient)
 - restart sssd
 - clear logs in /var/log/sssd/ either by deleting or by logrotate
 - make an attempt to login/perform allowed action that gets denied
 - read logs to see what happened
 - I like to run `ipa hbactest --user= --host= --service` on the IPA node
to confirm that the HBAC rules are correct
 - I sometimes also install ipa-tools on the target host and confirm that
the above command gives same and correct answer
 - note that successful results from this command may not translate to
successful application of HBAC on the target host in reality.



cheers
L.


--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 2 November 2016 at 09:41, Jake  wrote:

> Hey All,
> I'm having some issues tracing HBAC policies, it seems whenever I disable
> the allow_all policy, I'm no longer able to access services I have allowed
> in my more-specific hbac policy.
>
> What are the troubleshooting steps (logs) I can run on the client to see
> what is being denied and by what policy, Is this all done with sssd?
>
> Thank You,
> -Jake
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] HBAC Troubleshooting (IPA 4.2)

2016-11-01 Thread Jake

Hey All, 
I'm having some issues tracing HBAC policies, it seems whenever I disable the 
allow_all policy, I'm no longer able to access services I have allowed in my 
more-specific hbac policy. 

What are the troubleshooting steps (logs) I can run on the client to see what 
is being denied and by what policy, Is this all done with sssd? 

Thank You, 
-Jake 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC Troubleshooting (IPA 4.2)

Re: [Freeipa-users] HBAC Troubleshooting (IPA 4.2)

[Freeipa-users] HBAC Troubleshooting (IPA 4.2)

3 matches

Site Navigation

Mail list logo

Footer information