HBAC rules fail randomly for AD users on RHEL7.1
Issue
RHEL7.1 IPA client which is a member of AD domain trusted by RHEL7.1 IPA domain. Things work fine for a day or so and then users start getting access denied by HBAC rules. I see this in the domain log when they attempt to login:
(Tue Oct 27 05:36:33 2015) [sssd[be[domain.linux]]] [hbac_eval_user_element] (0x1000): [3] groups for [user1@domain.local]
(Tue Oct 27 05:36:33 2015) [sssd[be[domain.linux]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules
hbactest on the client and server both pass.
[root@hostname sssd]# ipa hbactest --user user1@domain.local --host 'hostname.domain.linux' --service sshd
--------------------
Access granted: True
--------------------
Matched rules: allow_users
Not matched rules: allow_all
Environment
Red Hat Enterprise Linux 7.1
ipa-server-4.1.0-18.el7_1.3.x86_64
sssd-1.12.2-58.el7_1.14.x86_64
Trusted Active directory domain
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
