Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1366340
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: RFE to add option of check user access in SSSD. SSSD should have option to check user access from ID/Auth provider. It should be similar to ipa hbactest option. # sssctl accesstest --user=test1 --host=machine1.example.com --service=sshd
Apart from adding a new command to sssctl, the tool would more or less just call (pseudocode):
pam_start() pam_acct_mgmg() pam_end()
And provide a nice textual representation of the result. What might be tricky, though is that the stack normally also contains other modules than pam_sss.so, so if the access was denied by pam_unix or any other module, the user couldn't tell which module denied access.
pam_sss.so
pam_unix
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => keywords: => easyfix mark: no => 0 review: True => 0 selected: => testsupdated: => 0
But this should be fine if the expectation that it validates only SSSD part clearly spelled. This actually gives a hint if SSSD test passes but user can't login that another module is to blame.
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.16 beta
milestone: SSSD Future releases (no date set yet) => SSSD 1.15.2
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 1.15.2
Metadata Update from @jhrozek: - Custom field design_review reset - Custom field mark reset - Custom field patch reset - Custom field review reset - Custom field sensitive reset - Custom field testsupdated reset - Issue close_status updated to: None - Issue set to the milestone: SSSD 1.15.3 (was: SSSD 1.15.2)
This might be a duplicate of #3292 (general troubleshooting tool). With sss_pam_test_client from https://github.com/SSSD/sssd/pull/200 a call like
sss_pam_test_client username acct
would check if the user is allowed to access to local system via the 'system-auth' PAM server. If a different PAM service should be checked the name can be given as third option.
Metadata Update from @sbose: - Custom field design_review reset - Custom field mark reset - Custom field patch reset - Custom field review reset - Custom field sensitive reset - Custom field testsupdated reset
Metadata Update from @jhrozek: - Custom field design_review reset (from false) - Custom field mark reset (from false) - Custom field patch reset (from false) - Custom field review reset (from false) - Custom field sensitive reset (from false) - Custom field testsupdated reset (from false) - Issue assigned to sbose
Metadata Update from @jhrozek: - Custom field design_review reset (from false) - Custom field mark reset (from false) - Custom field patch adjusted to on (was: false) - Custom field review reset (from false) - Custom field sensitive reset (from false) - Custom field testsupdated reset (from false)
Metadata Update from @jhrozek: - Custom field design_review reset (from false) - Custom field mark reset (from false) - Custom field review reset (from false) - Custom field sensitive reset (from false) - Custom field testsupdated reset (from false) - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4166
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.