Hello..
I have a server FreeIPA connected with Windows AD server. Here is some environment data:
freeipaad.schkrat.local (Active Directory , DNS MS Windows Server 2012 R2 Datacenter Evaluation x64)
ipaserver.schkrat.ipa (FreeIPA server, CentOS release 6.6 (Final) x64)
IPA version components:
sssd-ipa-1.11.6-30.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-server-3.0.0-42.el6.centos.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.11.6-30.el6.x86_64
ipa-admintools-3.0.0-42.el6.centos.x86_64
ipa-server-trust-ad-3.0.0-42.el6.centos.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-client-3.0.0-42.el6.centos.x86_64
ipa-server-selinux-3.0.0-42.el6.centos.x86_64
ipa-python-3.0.0-42.el6.centos.x86_64
libipa_hbac-1.11.6-30.el6.x86_64
HBAC test works:
ipa hbactest --user=wintest --host=ipbclient.schkrat.ipa --service=sshd
--------------------
Access granted: True
--------------------
Matched rules: access_all
We have a valid TRUST with AD:
ipa hbactest --user=wintest --host=ipbclient.schkrat.ipa --service=sshd
--------------------
Access granted: True
--------------------
Matched rules: access_all
The problem is when HBAC rule is set so that under "WHO" we select windows user. Then SSH stops working:
Before HBAC:
Feb 17 08:21:07 ipbclient sshd[30058]: Accepted password for wintest@SCHKRAT.LOCAL from 10.13.40.233 port 34719 ssh2
Feb 17 08:21:07 ipbclient sshd[30058]: pam_unix(sshd:session): session opened for user wintest@SCHKRAT.LOCAL by (uid=0
After HBAC:
Feb 17 08:21:55 ipbclient sshd[30089]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.13.40.233 user=wintest@SCHKRAT.LOCAL
Feb 17 08:21:55 ipbclient sshd[30089]: pam_sss(sshd:account): Access denied for user wintest@SCHKRAT.LOCAL: 6 (Permission denied)
Feb 17 08:21:55 ipbclient sshd[30089]: Failed password for wintest@SCHKRAT.LOCAL from 10.13.40.233 port 34733 ssh2
Feb 17 08:21:55 ipbclient sshd[30091]: fatal: Access denied for user wintest@SCHKRAT.LOCAL by PAM account configuration
So what am i missing ?
FreeIPA PAM account configuration
Re: FreeIPA PAM account configuration
Sorry .. didnt put the IPA Trust with AD:
[root@ipaserver sssd]# ipa trust-find
---------------
1 trust matched
---------------
Realm name: schkrat.local
Domain NetBIOS name: SCHKRAT
Domain Security Identifier: S-1-5-21-957296299-3555775235-3719493031
Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------
[root@ipaserver sssd]# ipa trust-find
---------------
1 trust matched
---------------
Realm name: schkrat.local
Domain NetBIOS name: SCHKRAT
Domain Security Identifier: S-1-5-21-957296299-3555775235-3719493031
Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------