I'm setting up a server + replica and I've migrated data from an old IPA server using ipa migrate-ds. I experience problems with SSH into my IPA servers, even though I have HBAC rules to allow this:
$ssh [email protected] -i test_alice Connection closed by 192.168.10.24 port 22 $ssh [email protected] ([email protected]) Password: [usr@ipa-test ~]$ ipa hbactest --user=test_alice --host=ipa-test.example.com --service=ssh -------------------- Access granted: True -------------------- Matched rules: allow_alice [usr@ipa-test ~]$ ipa hbacrule-find test_alice --all ------------------- 1 HBAC rule matched ------------------- dn: ipaUniqueID=20f8f500-73d8-11ee-ac02-020017010d22,cn=hbac,dc=example,dc=com Rule name: allow_alice Host category: all Service category: all Enabled: True Users: test_alice accessruletype: allow [usr@ipa-test ~]$ ipa user-find test_alice --all -------------- 1 user matched -------------- dn: uid=test_alice,cn=users,cn=accounts,dc=example,dc=com User login: test_alice First name: Alice Last name: Test Full name: Alice Test Display name: Alice Test Initials: AT Home directory: /home/test_alice GECOS: Alice Test Login shell: /bin/sh Principal name: [email protected] Principal alias: [email protected] Email address: [email protected] UID: 5002 GID: 5002 SSH public key: ssh-rsa AAAAB3N........... test_alice Previsouly using FreeIPA I have been able to find "denying access" in log files because of not matching HBAC rules. Now I can't find any trace of this, even with debug_level = 10 in /etc/sssd/sssd.conf (domain, ssh, pam, sssd section). _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
