My Oracle Support Banner

SSSD-Intermittent User Login Failure in Free IPA Domain due to HBAC Rules Mismatch. (Doc ID 2519987.1)

Last updated on JUNE 23, 2020

Applies to:

Linux OS - Version Oracle Linux 7.5 with Unbreakable Enterprise Kernel [4.1.12] and later
Linux x86-64


SSSD hbac_evaluate() failure caused the mismatch of groups which causes user login failure, though user is member of group, symptoms can be seen like below: 


sshd[11518]: pam_sss(sshd:account): Access denied for user xxxx : 6 (Permission denied)


--- sssd pam logs


[sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT <<<<<<<<<<<<<<< PAM request


[sssd[pam]] [pam_print_data] (0x0100): domain:


[sssd[pam]] [pam_print_data] (0x0100): user:


[sssd[pam]] [pam_print_data] (0x0100): service: sshd


[sssd[pam]] [pam_print_data] (0x0100): tty: ssh


[sssd[pam]] [pam_print_data] (0x0100): ruser: not set


[sssd[pam]] [pam_print_data] (0x0100): rhost: x.x.x.x


[sssd[pam]] [pam_print_data] (0x0100): authtok type: 0


[sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0


[sssd[pam]] [pam_print_data] (0x0100): priv: 1


[sssd[pam]] [pam_print_data] (0x0100): cli_pid: 2500


[sssd[pam]] [pam_print_data] (0x0100): logon name: xxxx


[sssd[pam]] [sbus_add_timeout] (0x2000): 0x5575dbd8fc50


[sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0


[sssd[pam]] [sbus_remove_timeout] (0x2000): 0x5575dbd8fc50


[sssd[pam]] [pam_dp_process_reply] (0x0200): received: [6 (Permission denied)][] <<<<<<<< failed here .


[sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [6]: Permission denied.


[sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.




[hbac_evaluate] (0x0100): The rule [group_name] did not match. <<<< xxxx user is member of <group_name> but rule did not match so IPA will not allow user to login to system.





To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.