Bug 675284 - "no matching rule" message logged on all successful requests.
"no matching rule" message logged on all successful requests.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.1
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Stephen Gallagher
Chandrasekar Kannan
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-02-04 14:17 EST by Gowrishankar Rajaiyan
Modified: 2015-01-04 18:46 EST (History)
5 users (show)

See Also:
Fixed In Version: sssd-1.5.1-6.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-05-19 07:38:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gowrishankar Rajaiyan 2011-02-04 14:17:37 EST
Description of problem:
"Authorized service attribute has no matching rule, access denied" message gets logged in /var/log/secure even though there exists a valid rule to grant access to user and authentication succeeds.

Version-Release number of selected component (if applicable):
sssd-1.5.1-3.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. On DS add user (puser1) with objectclass authorizedServiceObject and authorizedService: sshd. 
2. Configure SSSD with ldap_access_order as authorized_service. See "Additional info" section for relevant sssd.conf
3. Restart sssd with clear cache.
4. Using ssh try authenticating as puser1.
  
Actual results:
Snipped /var/log/secure:
Feb  4 19:36:01 rhel6-1 sshd[1941]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=puser1
Feb  4 19:36:03 rhel6-1 sshd[1941]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=puser1
Feb  4 19:36:03 rhel6-1 sshd[1941]: pam_sss(sshd:account): system info: [Authorized service attribute has no matching rule, access denied]
Feb  4 19:36:03 rhel6-1 sshd[1941]: Accepted password for puser1 from 127.0.0.1 port 46390 ssh2
Feb  4 19:36:03 rhel6-1 sshd[1941]: pam_unix(sshd:session): session opened for user puser1 by (uid=0)

"Authorized service attribute has no matching rule, access denied" message gets logged in /var/log/secure even though there exists a valid rule for sshd service.

Expected results:
Should not print this message on successful requests.

Additional info:

Relevant section of sssd.conf:
[domain/default]
ldap_tls_reqcert = demand
auth_provider = ldap
ldap_schema = rfc2307
ldap_default_authtok_type = obfuscated_password
ldap_search_base = dc=example,dc=com
id_provider = ldap
ldap_id_use_start_tls = False
ldap_default_bind_dn = uid=puser1,ou=People,dc=example,dc=com
ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc
debug_level = 9
ldap_uri = ldaps://sssdldap.redhat.com:636
enumerate = True
cache_credentials = True
ldap_default_authtok = AAAQAFFoJm/cBfbpU83dl5fe2wTdWeTPvLS8mfbDyZSN1AFK0tGwV6d0fJgr6lr33IYKK88yoZsASPUv20IUPtmCJZ4AAQIDAAA=
ldap_tls_cacertdir = /etc/openldap/cacerts
access_provider = ldap
ldap_access_order = authorized_service
ldap_user_authorized_service = authorizedService
Comment 3 Gowrishankar Rajaiyan 2011-03-18 07:23:27 EDT
No more "Authorized service attribute has no matching rule, access denied" message gets logged in /var/log/secure during successful requests when there exists a matching rule. 


# rpm -qi | head
rpm: no arguments given for query
[root@rhel6-1 ~]# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 14.el6                        Build Date: Thu 10 Mar 2011 01:00:12 AM IST
Install Date: Fri 18 Mar 2011 03:43:08 PM IST      Build Host: x86-009.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-14.el6.src.rpm
Size        : 3418526                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 4 errata-xmlrpc 2011-05-19 07:38:34 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html
Comment 5 errata-xmlrpc 2011-05-19 09:09:29 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html

Note You need to log in before you can comment on or make changes to this bug.