[Freeipa-users] Error message when denied by HBAC
Sigbjorn Lie
sigbjorn at nixtra.com
Tue Sep 6 19:31:25 UTC 2011
On 09/06/2011 09:08 PM, Stephen Gallagher wrote:
> On Tue, 2011-09-06 at 20:58 +0200, Sigbjorn Lie wrote:
>> On 09/06/2011 08:37 PM, Stephen Gallagher wrote:
>>> On Tue, 2011-09-06 at 20:04 +0200, Sigbjorn Lie wrote:
>>>> Hi,
>>>>
>>>> I attempt a login with a user account that's being denied access to the
>>>> host via HBAC, I receive the following generic error message.
>>>>
>>>> Sep 6 20:02:03 ipa01 sshd[11592]: pam_sss(sshd:account): Access denied
>>>> for user username: 4 (System error)
>>>>
>>>>
>>>> Would it be an idea to change this to advise that the user login was
>>>> denied due to HBAC rules? I see this is a bit confusing.
>>> "System error" means that something went wrong with processing. It
>>> defaults to DENY (to be safe), but it's actually an error.
>>>
>>> What version of SSSD are you running on the client? We fixed a fair
>>> number of HBAC bugs in the 1.5.13 release (which is currently in the
>>> updates-testing repos for F14, F15 and F16).
>> sssd-1.5.12-1.fc15.x86_64
>> sssd-client-1.5.12-1.fc15.x86_64
>>
>> I see there's some problems. :)
>>
>> I cannot log in if no exactly the user is mentioned and exactly the host
>> mentioned in the rule. If I attempt to use user groups and host groups
>> in a hbac rule, I receive the error above. Was there a related bug fixed
>> in 1.5.13?
> https://fedorahosted.org/sssd/wiki/Releases/Notes-1.5.13
>
> Yes, there were three HBAC bugs fixed. User groups and host groups now
> work properly. (The other bug was related to groups with no mumbers).
>
> Please try sssd-1.5.13-1.fc15.2 from updates-testing (actually, it looks
> like it hasn't hit the mirrors yet, so wait a day or so).
Ok, thank you. :)
Rgds,
Siggi
More information about the Freeipa-users
mailing list