On Tue, Nov 24, 2015 at 10:25:11AM +0100, Winfried de Heiden wrote: > Hi all, > > sss_debuglevel 6; in /var/log/sss/sssd_pam.log > > Running as "testuser" crond is denied; perfecr since it is not listed in > the HBAC services. > > [testuser@fedora23-server ~]$ crontab -l > You (testuser) are not allowed to access to (crontab) because of pam > configuration. > > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [accept_fd_handler] (0x0400): > Client connected! > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): > Received client version [3]. > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [sss_cmd_get_version] (0x0200): > Offered version [3]. > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): > entering pam_cmd_acct_mgmt > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [sss_parse_name_for_domains] > (0x0200): name 'testuser' matched without domain, user is testuser > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): command: > SSS_PAM_ACCT_MGMT > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: > not set > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): user: > testuser > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): service: > crond > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: > cron > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: > not set > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: > not set > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok > type: 0 > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 1910 > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): logon > name: testuser > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [sss_dp_issue_request] (0x0400): > Issuing request for [[1]0x561eb0a4b2e0:3:[email protected]] > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): > Creating request for > [blabla.bla][0x3][BE_REQ_INITGROUPS][1][name=testuser] > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [sss_dp_internal_get_send] > (0x0400): Entering request [[2]0x561eb0a4b2e0:3:[email protected]] > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_check_user_search] (0x0100): > Requesting info for [[3][email protected]] > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_check_user_search] (0x0400): > Returning info for user [[4][email protected]] > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending > request with the following data: > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): command: > SSS_PAM_ACCT_MGMT > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: > blabla.bla > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): user: > testuser > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): service: > crond > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: > cron > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: > not set > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: > not set > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok > type: 0 > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): > newauthtok type: 0 > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 1910 > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_print_data] (0x0100): logon > name: testuser > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): > pam_dp_send_req returned 0 > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [sss_dp_req_destructor] (0x0400): > Deleting request: [[5]0x561eb0a4b2e0:3:[email protected]] > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_dp_process_reply] (0x0200): > received: [6 (Permission denied)][blabla.bla] > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply > called with result [6]: Permission denied. > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [pam_reply] (0x0200): blen: 27 > (Tue Nov 24 09:54:58 2015) [sssd[pam]] [client_recv] (0x0200): Client > disconnected! > > Now, using su or su - does not show anything in de sssd logs, it looks > like the su service is not using sssd. What could be wrong?
Are you running su as an ordinary user or root? What does appear in /var/log/secure when you run su ? Can you show what is the /etc/pam.d/su config and the config of the service that is included from /etc/pam.d/su ? (typically system-auth) > > forgot to mention; allow_all is disabled, checked that 100 times... > > Kind regards, > > Winny > > Op 23-11-15 om 17:16 schreef Jakub Hrozek: > > On Mon, Nov 23, 2015 at 04:55:31PM +0100, Winfried de Heiden wrote: > > Hi all, > > I created some hbac rule on freeipa-server 4.1.4 on Fedora 22 > > # ipa hbacrule-show testuser > Rule name: testuser > Enabled: TRUE > Users: testuser > Hosts: fedora23-server.blabla.bla > Services: sshd > > Hence, " testuser" is only allowed using sshd on "fedora23-server". No > surprise, this user is not allowed to use "su": > > # ipa hbactest --user testuser --host fedora23-server.blabla.bla --service > su > --------------------- > Access granted: False > > (and yeah sshd is allowed) > > However, doing a "su" on the fedora23-server.blabla.bla, and giving the > correct password, access is granted. This user is not a member of any > other groups. > HBAC Services like cron or console access are denied correctly since they > are not in the HBAC service list. > > I noticed this behaviour also on IPA 4.1 (The Red Hat one) and several > other ipa-clients (RHEL/CentoOS 6.x, 7.x) > > Shouldn't su or su -l be denied when not listed? > > Yes, and in my testing with a similar rule: > > $ ipa hbacrule-show allow_sshd > Rule name: allow_sshd > Enabled: TRUE > Users: admin > Hosts: client.ipa.test > Services: sshd > > admin can ssh to client.ipa.test but it's not possible to su to admin. > > Please follow [6]https://fedorahosted.org/sssd/wiki/Troubleshooting and check > /var/log/secure and the sssd logs. > > Also, you're not calling su as root, are you? > > References > > Visible links > 1. mailto:0x561eb0a4b2e0:3:[email protected] > 2. mailto:0x561eb0a4b2e0:3:[email protected] > 3. mailto:[email protected] > 4. mailto:[email protected] > 5. mailto:0x561eb0a4b2e0:3:[email protected] > 6. https://fedorahosted.org/sssd/wiki/Troubleshooting -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
