Troubleshooting
Problem
After installing IBM Clearcase on a Red Hat Enterprise Linux 8.x host, and enabling Active Directory authentication via the System Security Services Daemon (SSSD), Active directory users cannot log in to the WAN server via ClearTeam Explorer or rcleartool.
The users in question can log in via SSH and on the server's console.
An existing Red Hat Enterprise Linux 7.x WAN server, using identical configuration files works.
Symptom
Examination of the WAN server logs reveals the following messages:
May 26 15:17:24 ccwan ccbe-web[315132]: pam_sss(clearcase:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=denise.allison
May 26 15:17:24 ccwan ccbe-web[315132]: pam_sss(clearcase:account): Access denied for user denise.allison: 6 (Permission denied)
Cause
The cause is a security improvement between the releases of sssd in RHEL 7.x (1.x) and RHEL 8.x (2.x). SSSD 2.x enables GPO-based access control by default, and defaults to a "deny" state for non-default PAM services. As the "clearcase" service is not a default service, SSSD will not allow the login of even authenticated users. Hence the success for "clearcase:auth" and the failure for "clearcase:account" in the messages above.
Environment
This was initially seen on Red Hat Enterprise Linux 8.3, and reproduced on 8.2. This issue will likely be present on any Linux host running a 2.x release of SSSD.
This issue assumes that the documented procedures for enabling PAM access to the WAN server in Configuration guidelines for the CCRC WAN server (ibm.com) have been completed
Diagnosing The Problem
The error messages in the WAN server logs indicate an OS authorization issue where the OS is not permitting the authenticated user to access the "clearcase" service. As the pam_sss module used by the OS to connect PAM to SSSD has no debug options of its own, looking at the options for sssd reveals that debugging can be enabled globally and for each section in sssd.conf.
After adding "debug_level=0xFFFF" to each section of the sssd.conf, and restarting sssd, the /var/log/sssd/sssd_{domain name}.log file revealed the cause of the issue:
(Wed May 26 20:22:11 2021) [sssd[be[swtest.local]]] [ad_gpo_access_send] (0x0400): Configuration hint: PAM service 'clearcase' is not mapped to any Group Policy rule. If you plan to use this PAM service it is recommended to use the ad_gpo_map_* family of options to map this PAM service to a Group Policy rule. PAM services not present in any map will fall back to value set in ad_gpo_default_right, which is currently set to Denied (see manual pages 'man sssd-ad' for more details).
Resolving The Problem
Edit the sssd.conf to do one of the following:
- set the default access from "deny" to allow by adding "ad_gpo_default_right = permit" to the AD domain's section in sssd.conf. This can potentially allow more than the desired amount of access.
- Add the "clearcase" service to the appropriate SSSD group policy map. For example, adding "ad_gpo_map_interactive = +clearcase" in the AD domain's section in sssd.conf will allow users with "log on interactively" right in the domain.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSSH27","label":"Rational ClearCase"},"ARM Category":[{"code":"a8m0z000000boVSAAY","label":"ClearCase->Unified Client"}],"ARM Case Number":"TS005735981","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]
Product Synonym
ClearCase;CC
Was this topic helpful?
Document Information
Modified date:
22 June 2021
UID
ibm16456963