Finn Fysj via FreeIPA-users wrote: >> I'm setting up a server + replica and I've migrated data from an old IPA >> server >> using ipa migrate-ds. >> I experience problems with SSH into my IPA servers, even though I have HBAC >> rules to allow >> this: >> >> >> $ssh test_alice(a)ipa-test.example.com -i test_alice >> Connection closed by 192.168.10.24 port 22 >> >> $ssh test_alice(a)ipa-test.example.com >> (test_alice(a)ipa-test.example.com) Password: >> >> [usr@ipa-test ~]$ ipa hbactest --user=test_alice --host=ipa-test.example.com >> --service=ssh >> -------------------- >> Access granted: True >> -------------------- >> Matched rules: allow_alice >> >> >> [usr@ipa-test ~]$ ipa hbacrule-find test_alice --all >> ------------------- >> 1 HBAC rule matched >> ------------------- >> dn: >> ipaUniqueID=20f8f500-73d8-11ee-ac02-020017010d22,cn=hbac,dc=example,dc=com >> Rule name: allow_alice >> Host category: all >> Service category: all >> Enabled: True >> Users: test_alice >> accessruletype: allow >> >> >> [usr@ipa-test ~]$ ipa user-find test_alice --all >> -------------- >> 1 user matched >> -------------- >> dn: uid=test_alice,cn=users,cn=accounts,dc=example,dc=com >> User login: test_alice >> First name: Alice >> Last name: Test >> Full name: Alice Test >> Display name: Alice Test >> Initials: AT >> Home directory: /home/test_alice >> GECOS: Alice Test >> Login shell: /bin/sh >> Principal name: test_alice(a)EXAMPLE.COM >> Principal alias: test_alice(a)EXAMPLE.COM >> Email address: test_alice(a)example.com >> UID: 5002 >> GID: 5002 >> SSH public key: ssh-rsa >> AAAAB3N........... >> test_alice >> >> >> >> Previsouly using FreeIPA I have been able to find "denying access" in log >> files >> because of not matching HBAC rules. Now I can't find any trace of this, even >> with >> debug_level = 10 in /etc/sssd/sssd.conf (domain, ssh, pam, sssd section). > > Turns I have Anonymous Permissions that messes up this. > Removing the following permissions I can successfully SSH using test_alice > $ ipa permission-find Anonymous > Permission name: Anonymous Group > Granted rights: read, search > Effective attributes: member, memberof > Bind rule type: anonymous > Subtree: dc=example,dc=com > Permission flags: SYSTEM, V2 > > Permission name: Anonymous User > Granted rights: read, search > Effective attributes: memberof > Bind rule type: anonymous > Subtree: dc=example,dc=com > Permission flags: SYSTEM, V2 > > > I have a third one, but that isn't causing issues: > Permission name: Anonymous PubKey > Granted rights: read > Effective attributes: ipasshpubkey > Bind rule type: anonymous > Subtree: dc=example,dc=com > Permission flags: SYSTEM, V2
Seems unlikely that anonymous ACI's would prevent HBAC from working. Especially ACIs that don't apply to the bound dn. These ACIs also apply very broadly across the server. For example, the user and group ACIs overlap with memberof. You probably want to use a different subtree, say the user container for the first and last, and the group container for that one. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
