Hi, We have AD-trusted FreeIPA environment. I installed sssd-1.16.1 on IPA servers and client hosts. Posix user group "ad_app_admins" mapped to app-admins@ADTrustedDomain. Sometimes AD user fails to login on hosts. sssd can not see mapping. AD user groups show correct for user, but POSIX user group lost.
When login success: sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_eval_user_element] (0x1000): [16] groups for [ADuser@ADTrustedDomain] sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_eval_user_element] (0x0200): Skipping non-IPA group name=group1@ADTrustedDomain,cn=groups,cn=ADTrustedDomain,cn=sysdb ... sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_eval_user_element] (0x0200): Skipping non-IPA group name=app-admins@ADTrustedDomain,cn=groups,cn=ADTrustedDomain,cn=sysdb sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_eval_user_element] (0x1000): Added group [ad_app_admins] for user [ADuser] sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_debug_print] (0x2000): RULE [allow_admin_mgmt_hosts] [ENABLED]: sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_debug_print] (0x2000): services: sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): category [0] [NONE] sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): services_names: sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): [sshd] sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): services_groups (none) sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_debug_print] (0x2000): users: sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): category [0] [NONE] sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): users_names (none) sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): users_groups: ... sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): [ad_app_admins] ... sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_debug_print] (0x2000): targethosts: sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): category [0] [NONE] sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): targethosts_names (none) sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): targethosts_groups: sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): [admin-mng-hosts] sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_debug_print] (0x2000): srchosts: sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): category [0x1] [ALL] sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_evaluate] (0x0100): ALLOWED by rule [allow_admin_mgmt_hosts]. sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [hbac_evaluate] (0x0100): hbac_evaluate() >] sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_admin_mgmt_hosts] ======================================================== When login failed: sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_eval_user_element] (0x1000): [15] groups for [ADuser@ADTrustedDomain] sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_eval_user_element] (0x0200): Skipping non-IPA group name=group1@ADTrustedDomain,cn=groups,cn=ADTrustedDomain,cn=sysdb ... sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_eval_user_element] (0x0200): Skipping non-IPA group name=app-admins@ADTrustedDomain,cn=groups,cn=ADTrustedDomain,cn=sysdb <----- There is no message "Added group [ad_app_admins] for user [ADuser]" sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_debug_print] (0x2000): RULE [allow_admin_mgmt_hosts] [ENABLED]: sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_debug_print] (0x2000): services: sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): category [0] [NONE] sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): services_names: sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): [sshd] sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): services_groups (none) sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_debug_print] (0x2000): users: sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): category [0] [NONE] sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): users_names (none) sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): users_groups: ... sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): [ad_app_admins] ... sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_debug_print] (0x2000): targethosts: sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): category [0] [NONE] sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): targethosts_names (none) sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): targethosts_groups: sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): [admin-mng-hosts] sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_debug_print] (0x2000): srchosts: sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_rule_element_debug_print] (0x2000): category [0x1] [ALL] sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [hbac_evaluate] (0x0100): The rule [allow_admin_mgmt_hosts] did not match. sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org