On 18/09/2023 14:19, Ole Froslie via FreeIPA-users wrote:
Scenario 2:
User : test2 is not a member of testusergroup anymore and should not be granted
access to the test server.
This also works as expected, when logging in with correct password, test2 is denied
service with message "Connection closed by ...."
This is great, but I would like to see this happening in the log:
The log looks like this:
[...]
In this log, I see the same AS_REQ as expected with no failure, since I am
using correct password , and the same kind of TGS_REQ
My question is:
When FreeIPA is handling the service authorization through the use of HBAC
rules, why does it issue a similar TGS?
Or is it different?,
How does the actual authorization fail between the client and the
server/service itself?
Is it the content of the TGS ?
Kerberos deals with the question of authentication: determining the
identity of a client.
HBAC deals with the question of authorization: is the client allowed to
SSH into a server?
I know I can see failed login in the logs of the server it self, but I would
like to see everything that goes on in the FreeIPA logs.
It's up to SSSD, running on the server itself, to evaluate HBAC rules.
So any messages logged when HBAC denies access by a client to a server
have to be logged on the server itself.
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
