> On 11 Apr 2018, at 17:26, a.miroshniche...@rtk-dc.ru wrote: > > Hi, > > We have AD-trusted FreeIPA environment. > I installed sssd-1.16.1 on IPA servers and client hosts. > Posix user group "ad_app_admins" mapped to app-admins@ADTrustedDomain. > Sometimes AD user fails to login on hosts. sssd can not see mapping. AD user > groups show correct for user, but POSIX user group lost. > > When login success: > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_eval_user_element] (0x1000): [16] groups for [ADuser@ADTrustedDomain] > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_eval_user_element] (0x0200): Skipping non-IPA group > name=group1@ADTrustedDomain,cn=groups,cn=ADTrustedDomain,cn=sysdb > ... > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_eval_user_element] (0x0200): Skipping non-IPA group > name=app-admins@ADTrustedDomain,cn=groups,cn=ADTrustedDomain,cn=sysdb > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_eval_user_element] (0x1000): Added group [ad_app_admins] for user > [ADuser] > > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_rule_debug_print] (0x2000): RULE [allow_admin_mgmt_hosts] > [ENABLED]: > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_rule_debug_print] (0x2000): services: > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): category [0] [NONE] > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): services_names: > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): [sshd] > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): services_groups > (none) > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_rule_debug_print] (0x2000): users: > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): category [0] [NONE] > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): users_names (none) > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): users_groups: > ... > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): > [ad_app_admins] > ... > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_rule_debug_print] (0x2000): targethosts: > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): category [0] [NONE] > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): targethosts_names > (none) > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): targethosts_groups: > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): > [admin-mng-hosts] > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_rule_debug_print] (0x2000): srchosts: > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): category [0x1] [ALL] > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_evaluate] (0x0100): ALLOWED by rule [allow_admin_mgmt_hosts]. > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [hbac_evaluate] (0x0100): hbac_evaluate() >] > sssd_ipa.domain.log:(Wed Apr 11 15:05:36 2018) [sssd[be[ipa.domain]]] > [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule > [allow_admin_mgmt_hosts] > > ======================================================== > > When login failed: > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_eval_user_element] (0x1000): [15] groups for [ADuser@ADTrustedDomain]
OK, here the user is missing one group membership. But I’m not sure how to help you with this limited log snippet. Did you observe some pattern that could help us reproduce the issue locally? Can you share the log files? > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_eval_user_element] (0x0200): Skipping non-IPA group > name=group1@ADTrustedDomain,cn=groups,cn=ADTrustedDomain,cn=sysdb > ... > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_eval_user_element] (0x0200): Skipping non-IPA group > name=app-admins@ADTrustedDomain,cn=groups,cn=ADTrustedDomain,cn=sysdb > <----- There is no message "Added group > [ad_app_admins] for user [ADuser]" > > > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_rule_debug_print] (0x2000): RULE [allow_admin_mgmt_hosts] > [ENABLED]: > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_rule_debug_print] (0x2000): services: > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): category [0] [NONE] > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): services_names: > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): [sshd] > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): services_groups > (none) > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_rule_debug_print] (0x2000): users: > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): category [0] [NONE] > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): users_names (none) > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): users_groups: > ... > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): > [ad_app_admins] > ... > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_rule_debug_print] (0x2000): targethosts: > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): category [0] [NONE] > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): targethosts_names > (none) > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): targethosts_groups: > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): > [admin-mng-hosts] > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_rule_debug_print] (0x2000): srchosts: > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_rule_element_debug_print] (0x2000): category [0x1] [ALL] > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [hbac_evaluate] (0x0100): The rule [allow_admin_mgmt_hosts] did not match. > > sssd_ipa.domain.log:(Wed Apr 11 14:15:09 2018) [sssd[be[ipa.domain]]] > [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules > > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
