HBAC rules fail randomly for AD users on RHEL7.1

Solution In Progress - Updated -

Issue

RHEL7.1 IPA client which is a member of AD domain trusted by RHEL7.1 IPA domain. Things work fine for a day or so and then users start getting access denied by HBAC rules. I see this in the domain log when they attempt to login:

(Tue Oct 27 05:36:33 2015) [sssd[be[domain.linux]]] [hbac_eval_user_element] (0x1000): [3] groups for [user1@domain.local]
(Tue Oct 27 05:36:33 2015) [sssd[be[domain.linux]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules

hbactest on the client and server both pass.

[root@hostname sssd]# ipa hbactest --user user1@domain.local --host 'hostname.domain.linux' --service sshd
-------------------- 
Access granted: True 
-------------------- 
  Matched rules: allow_users
  Not matched rules: allow_all

Environment

Red Hat Enterprise Linux 7.1
ipa-server-4.1.0-18.el7_1.3.x86_64
sssd-1.12.2-58.el7_1.14.x86_64
Trusted Active directory domain

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.