My Oracle Support Banner

SSSD-Intermittent User Login Failure in Free IPA Domain due to HBAC Rules Mismatch. (Doc ID 2519987.1)

Last updated on JANUARY 29, 2020

Applies to:

Linux OS - Version Oracle Linux 7.5 with Unbreakable Enterprise Kernel [4.1.12] and later
Linux x86-64

Symptoms

SSSD hbac_evaluate() failure caused the mismatch of groups which causes user login failure, though user is member of group, symptoms can be seen like below: 

--/var/log/secure

sshd[11518]: pam_sss(sshd:account): Access denied for user xxxx : 6 (Permission denied)

 

--- sssd pam logs

 

[sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT <<<<<<<<<<<<<<< PAM request

 

[sssd[pam]] [pam_print_data] (0x0100): domain: example.com

 

[sssd[pam]] [pam_print_data] (0x0100): user: xxxx@example.com

 

[sssd[pam]] [pam_print_data] (0x0100): service: sshd

 

[sssd[pam]] [pam_print_data] (0x0100): tty: ssh

 

[sssd[pam]] [pam_print_data] (0x0100): ruser: not set

 

[sssd[pam]] [pam_print_data] (0x0100): rhost: x.x.x.x

 

[sssd[pam]] [pam_print_data] (0x0100): authtok type: 0

 

[sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0

 

[sssd[pam]] [pam_print_data] (0x0100): priv: 1

 

[sssd[pam]] [pam_print_data] (0x0100): cli_pid: 2500

 

[sssd[pam]] [pam_print_data] (0x0100): logon name: xxxx

 

[sssd[pam]] [sbus_add_timeout] (0x2000): 0x5575dbd8fc50

 

[sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0

 

[sssd[pam]] [sbus_remove_timeout] (0x2000): 0x5575dbd8fc50

 

[sssd[pam]] [pam_dp_process_reply] (0x0200): received: [6 (Permission denied)][example.com] <<<<<<<< failed here .

 

[sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [6]: Permission denied.

 

[sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.

 

---/var/log/sssd/sssd_<domain>.log

 

[hbac_evaluate] (0x0100): The rule [group_name] did not match. <<<< xxxx user is member of <group_name> but rule did not match so IPA will not allow user to login to system.

 

Changes

N/A 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.