Details:
ipa-client-install --version
4.2.0
sssd --version
1.13.0
krb5-config --version
Kerberos 5 release 1.13.2
cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
I hope this helps, also can I disable the allow-all rule per-host?
Thanks,
Jake
From: "Lachlan Musicman"
Cc: "freeipa-users"
Sent: Tuesday, November 1, 2016 7:04:45 PM
Subject: Re: [Freeipa-users] HBAC Troubleshooting (IPA 4.2)
Jake,
I've seen this behaviour and am still struggling to find a solution.
The version of underlying OS and sssd are useful to know fwiw.
To trouble shoot HBAC:
- in *target machine* sssd.conf, add debug_level=7 to each stanza (can go as
high as 9, but I believe 7 will be sufficient)
- restart sssd
- clear logs in /var/log/sssd/ either by deleting or by logrotate
- make an attempt to login/perform allowed action that gets denied
- read logs to see what happened
- I like to run `ipa hbactest --user= --host= --service` on the IPA node to
confirm that the HBAC rules are correct
- I sometimes also install ipa-tools on the target host and confirm that the
above command gives same and correct answer
- note that successful results from this command may not translate to
successful application of HBAC on the target host in reality.
cheers
L.
--
The most dangerous phrase in the language is, "We've always done it this way."
- Grace Hopper
On 2 November 2016 at 09:41, Jake < [ mailto:free...@jacobdevans.com |
free...@jacobdevans.com ] > wrote:
Hey All,
I'm having some issues tracing HBAC policies, it seems whenever I disable the
allow_all policy, I'm no longer able to access services I have allowed in my
more-specific hbac policy.
What are the troubleshooting steps (logs) I can run on the client to see what
is being denied and by what policy, Is this all done with sssd?
Thank You,
-Jake
--
Manage your subscription for the Freeipa-users mailing list:
[ https://www.redhat.com/mailman/listinfo/freeipa-users |
https://www.redhat.com/mailman/listinfo/freeipa-users ]
Go to [ http://freeipa.org/ | http://freeipa.org ] for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project