IPA: HBAC doesn't honour primary group membership for IPA user

Solution Verified - Updated -


  • IPA: HBAC doesn't honor primary group membership for IPA user causing ipa hbactest and user login to fail.
# ipa hbactest --user=testuser --host=`hostname` --service=sshd
Access granted: False
  Not matched rules: testhbac

# id testuser
uid=1767400004(testuser) gid=1767400003(testgroup) groups=1767400003(testgroup) <---- Group is visible

# getent group testgroup
testgroup:*:1767400003:                      <---- Empty Ouptut

# ipa group-show testgroup
  Group name: testgroup
  GID: 1767400003
  Member of HBAC rule: testhbac

# ipa hbacrule-show testhbac
  Rule name: testhbac
  Enabled: TRUE
  User Groups: testgroup
  Host Groups: testhostgroup
  Services: sshd


  • Red Hat Enterprise Linux 7.6
  • ipa-server-4.6.4-10.el7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In