HBAC Services
Manage HBAC service definitions for use in host-based access control rules. Services represent specific system services (SSH, su, sudo, etc.) that can be controlled via HBAC policies. Features include service creation with descriptions, service grouping for policy management, and integration with HBAC rules for granular service-level access control.
The PAM services that HBAC can control access to. The name used here must match the service name that PAM is evaluating.
EXAMPLES
Add a new HBAC service:
ipa hbacsvc-add tftpModify an existing HBAC service:
ipa hbacsvc-mod --desc="TFTP service" tftpSearch for HBAC services. This example will return two results, the FTP
service and the newly-added tftp service:
ipa hbacsvc-find ftpDelete an HBAC service:
ipa hbacsvc-del tftp
Commands
hbacsvc-add
Usage: ipa [global-options] hbacsvc-add SERVICE [options]
Add a new HBAC service.
Arguments
| Argument | Required | Description |
|---|---|---|
SERVICE | yes | HBAC service |
Options
| Option | Description |
|---|---|
--desc DESC | HBAC service description |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
hbacsvc-del
Usage: ipa [global-options] hbacsvc-del SERVICE [options]
Delete an existing HBAC service.
Arguments
| Argument | Required | Description |
|---|---|---|
SERVICE | yes | HBAC service |
Options
| Option | Description |
|---|---|
--continue | Continuous mode: Don’t stop on errors. |
hbacsvc-find
Usage: ipa [global-options] hbacsvc-find [CRITERIA] [options]
Search for HBAC services.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--service SERVICE | HBAC service |
--desc DESC | HBAC service description |
--timelimit TIMELIMIT | Time limit of search in seconds (0 is unlimited) |
--sizelimit SIZELIMIT | Maximum number of entries returned (0 is unlimited) |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“service”) |
hbacsvc-mod
Usage: ipa [global-options] hbacsvc-mod SERVICE [options]
Modify an HBAC service.
Arguments
| Argument | Required | Description |
|---|---|---|
SERVICE | yes | HBAC service |
Options
| Option | Description |
|---|---|
--desc DESC | HBAC service description |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--delattr DELATTR | Delete an attribute/value pair. The option will be evaluated |
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
hbacsvc-show
Usage: ipa [global-options] hbacsvc-show SERVICE [options]
Display information about an HBAC service.
Arguments
| Argument | Required | Description |
|---|---|---|
SERVICE | yes | HBAC service |
Options
| Option | Description |
|---|---|
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
Use Cases
Adding Custom Application Services to HBAC Control
Organizations deploying custom applications with PAM integration need to define HBAC services matching the application’s PAM service name to enable access control.
# Add HBAC service for custom application
ipa hbacsvc-add myapp --desc="Custom application PAM service"
# Verify service created
ipa hbacsvc-show myapp
# Create HBAC rule controlling access to this service
ipa hbacrule-add myapp_access
ipa hbacrule-add-service myapp_access --hbacsvcs=myapp
ipa hbacrule-add-user myapp_access --groups=app-users
ipa hbacrule-add-host myapp_access --hostgroups=app-servers
# Application's PAM configuration (/etc/pam.d/myapp) will be evaluated
# against myapp HBAC service when users authenticate
Defining Standard System Services for Consistent Policy
IT teams establish standard HBAC service definitions across the organization to ensure consistent naming and enable centralized access control policy management.
# Add standard remote access services
ipa hbacsvc-add sshd --desc="SSH daemon service"
ipa hbacsvc-add login --desc="Console login service"
ipa hbacsvc-add gdm --desc="GNOME Display Manager graphical login"
ipa hbacsvc-add cockpit --desc="Cockpit web administration service"
# Add privilege escalation services
ipa hbacsvc-add su --desc="Switch user command"
ipa hbacsvc-add sudo --desc="Execute commands as another user"
# Add file transfer services
ipa hbacsvc-add vsftpd --desc="Very Secure FTP daemon"
ipa hbacsvc-add sftp --desc="SSH file transfer protocol"
# List all defined services for documentation
ipa hbacsvc-find --all
Controlling Web Application Access via Apache PAM Module
Web applications using mod_authnz_pam for Apache authentication require HBAC service definitions matching their PAM service configuration.
# Add HBAC service for web application
ipa hbacsvc-add webapp --desc="Web application PAM service"
# Configure HBAC rule for web app access
ipa hbacrule-add webapp_access
ipa hbacrule-add-service webapp_access --hbacsvcs=webapp
ipa hbacrule-add-user webapp_access --groups=web-users
ipa hbacrule-add-host webapp_access --hosts=web.example.com
# Apache configuration uses PAM service name "webapp"
# /etc/pam.d/webapp contains PAM stack
# mod_authnz_pam checks HBAC via SSSD for authorization
Managing Database Authentication Services
Database systems with PAM integration (PostgreSQL, MySQL with PAM plugin) need HBAC service definitions to control database authentication.
# Add HBAC service for PostgreSQL
ipa hbacsvc-add postgresql --desc="PostgreSQL database service"
# Create role-based HBAC rule for DBAs
ipa hbacrule-add dba_database_access
ipa hbacrule-add-service dba_database_access --hbacsvcs=postgresql
ipa hbacrule-add-user dba_database_access --groups=database-admins
ipa hbacrule-add-host dba_database_access --hostgroups=database-servers
# PostgreSQL PAM configuration (/etc/pam.d/postgresql)
# uses pam_sss.so for HBAC authorization
Finding Services by Criteria for Policy Review
Administrators reviewing HBAC policies need to search for services by name pattern or description to identify relevant services.
# Find all FTP-related services
ipa hbacsvc-find ftp
# Returns: ftp, vsftpd, sftp, tftp, etc.
# Find services with "ssh" in name or description
ipa hbacsvc-find ssh
# Returns: sshd, ssh, sftp
# List all HBAC services for audit
ipa hbacsvc-find --all > hbac-services-audit.txt
# Count total HBAC services
ipa hbacsvc-find | grep "Number of entries returned:"
Modifying Service Descriptions for Documentation
Maintaining clear service descriptions helps administrators understand service purpose during policy creation and troubleshooting.
# Add description to existing service
ipa hbacsvc-mod sshd --desc="SSH daemon - remote shell access"
# Update description with additional details
ipa hbacsvc-mod sudo \
--desc="Sudo - privilege escalation, see sudorule for command-level control"
# Add compliance reference to description
ipa hbacsvc-mod login \
--desc="Console login - PCI-DSS requires monitoring per req 10.2.4"
# View updated description
ipa hbacsvc-show sudo
Removing Obsolete Services After Application Decommissioning
When applications are decommissioned, removing associated HBAC services prevents policy clutter and reduces confusion.
# Check if service is used in any HBAC rules first
ipa hbacrule-find --hbacsvcs=oldapp
# If service is referenced in rules, remove from rules first
ipa hbacrule-remove-service app_access --hbacsvcs=oldapp
# Delete the HBAC service
ipa hbacsvc-del oldapp
# Verify deletion
ipa hbacsvc-show oldapp
# Should return: service not found
Grouping Related Services for Simplified Policy Management
While individual services are defined with hbacsvc-add, related services are grouped using hbacsvcgroup for easier HBAC rule management.
# Add individual file transfer services
ipa hbacsvc-add ftp --desc="FTP service"
ipa hbacsvc-add sftp --desc="Secure FTP service"
ipa hbacsvc-add vsftpd --desc="Very Secure FTP daemon"
# Create service group for all file transfer services
ipa hbacsvcgroup-add file-transfer --desc="All file transfer services"
ipa hbacsvcgroup-add-member file-transfer --hbacsvcs=ftp
ipa hbacsvcgroup-add-member file-transfer --hbacsvcs=sftp
ipa hbacsvcgroup-add-member file-transfer --hbacsvcs=vsftpd
# HBAC rules can now reference the group instead of individual services
ipa hbacrule-add file_transfer_access
ipa hbacrule-add-service file_transfer_access --hbacsvcgroups=file-transfer
Standardizing VPN and Remote Access Service Definitions
Organizations deploying multiple remote access solutions need consistent HBAC service definitions for VPN, SSH, and remote desktop services.
# Add VPN service definitions
ipa hbacsvc-add openvpn --desc="OpenVPN service"
ipa hbacsvc-add ipsec --desc="IPsec VPN service"
ipa hbacsvc-add wireguard --desc="WireGuard VPN service"
# Add remote desktop services
ipa hbacsvc-add xrdp --desc="Remote Desktop Protocol service"
ipa hbacsvc-add vnc --desc="VNC remote desktop service"
ipa hbacsvc-add x2go --desc="X2Go remote desktop service"
# Create service group for remote access
ipa hbacsvcgroup-add remote-access \
--desc="All remote access services"
# Group all remote access services
ipa hbacsvcgroup-add-member remote-access \
--hbacsvcs=sshd,openvpn,ipsec,xrdp,vnc
Validating PAM Service Name Matches System Configuration
Ensuring HBAC service names match actual PAM service configuration files prevents HBAC policy failures.
# Check PAM configuration files on target systems
ssh server.example.com "ls /etc/pam.d/"
# Add HBAC service matching PAM service name exactly
# If PAM file is /etc/pam.d/cockpit, service name must be "cockpit"
ipa hbacsvc-add cockpit --desc="Cockpit web console"
# Verify service name matches
ipa hbacsvc-show cockpit
# Common mistake: adding service with wrong name
# This will NOT work if PAM file is named differently:
ipa hbacsvc-add webmin # Wrong if PAM file is /etc/pam.d/usermin
# Service name MUST match PAM configuration exactly
Security Considerations
HBAC Service Name Must Match PAM Configuration Exactly
HBAC services control access based on PAM service names. If the HBAC service name does not exactly match the PAM service configuration file name in /etc/pam.d/, HBAC rules will not be evaluated, causing either unintended access grants (if default HBAC rule allows) or unexpected denials. Case sensitivity and naming mismatches create security policy bypass opportunities.
Establish naming standards requiring HBAC service names to match PAM configuration exactly. Validate PAM configuration files on target systems before creating HBAC services: ls /etc/pam.d/ to verify exact names. Document PAM-to-HBAC service mapping in operational procedures. Test HBAC policy enforcement with pam_test_sssd or actual authentication attempts. Implement change control requiring verification of PAM service name before HBAC service creation.
Undefined Services Allow Permissive Default HBAC Rule
If a PAM service is not defined in IPA HBAC services, the service may fall under the default HBAC rule allow_all. In environments where allow_all has not been disabled, undefined services grant unrestricted access. This creates security gaps when new applications with PAM integration are deployed without corresponding HBAC service definitions.
Disable default allow_all HBAC rule in production: ipa hbacrule-disable allow_all. Implement procedures requiring HBAC service creation before application deployment. Use monitoring to detect PAM authentication events for services not defined in HBAC: review SSSD logs for unknown service names. Establish application deployment checklists including HBAC service definition. Conduct regular audits comparing PAM service files across systems with defined HBAC services.
Service Deletion Without HBAC Rule Review Breaks Access
Deleting an HBAC service with hbacsvc-del while HBAC rules still reference the service causes those rules to become incomplete. Rules with missing services may deny access unexpectedly or fail to evaluate properly. Service deletion without impact analysis creates operational disruptions when legitimate users lose access.
Before deleting HBAC services, identify dependent HBAC rules: ipa hbacrule-find --hbacsvcs=service-name. Review each rule and either remove service reference or delete entire rule if service was sole purpose. Document service deletion in change tickets with impact analysis. Implement service deprecation process: disable rules referencing service, verify no access impact, wait observation period, then delete service. Use --continue flag carefully as it masks errors during deletion.
Service Descriptions Expose Application Architecture
HBAC service descriptions may contain sensitive information about application architecture, technology stack, compliance requirements, or business function. These descriptions are readable by authenticated users and may assist reconnaissance for targeted attacks. Overly detailed descriptions provide attacker intelligence about internal systems.
Keep service descriptions generic and functional rather than architecturally detailed. Avoid including version numbers, technology specifics, or compliance scopes in descriptions. Use consistent naming conventions that do not reveal sensitive application purposes. Implement access controls on HBAC service viewing if supported. Document sensitive details in secure operational documentation rather than HBAC service descriptions. Review service descriptions during security audits for information disclosure.
Orphaned Services Create Policy Management Confusion
HBAC services created for decommissioned applications but never deleted accumulate over time, creating confusion during policy review and increasing risk of accidental misuse. Orphaned services may be incorrectly included in new HBAC rules, granting access to non-existent services or being repurposed for different applications.
Implement lifecycle management for HBAC services tied to application lifecycle. When applications are decommissioned, include HBAC service deletion in decommissioning procedures. Conduct periodic audits identifying services not referenced in any HBAC rules: compare hbacsvc-find output with hbacrule-find --all results. Document service ownership and purpose for accountability. Use naming conventions including environment or department to facilitate orphan identification.
Service Group Membership Changes Affect Multiple HBAC Rules
HBAC service groups simplify rule management but modifications to group membership affect all HBAC rules referencing the group. Adding services to groups can unintentionally grant broader access than intended. Removing services from groups can break access for legitimate users without obvious error messages.
Treat service group modifications as high-risk changes requiring approval and testing. Document which HBAC rules reference each service group before modifications. Test group changes in non-production before applying to production. Implement change notifications alerting HBAC rule owners when referenced service groups change. Consider service groups immutable after initial creation, creating new groups for different membership rather than modifying existing.
Case Sensitivity in Service Names Causes Policy Mismatches
HBAC service names and PAM service configuration files are case-sensitive. Creating HBAC service “SSH” when PAM uses “ssh” causes policy mismatch. Users may authenticate against PAM service “ssh” which does not match HBAC service “SSH”, resulting in access denials or unintended default rule application.
Enforce lowercase naming convention for all HBAC services matching PAM naming standards. Validate service names during creation: check for existing services with different case. Implement service name validation in wrapper scripts preventing case variants. Document naming standards in operational procedures. When troubleshooting HBAC denials, verify exact case match between HBAC service and PAM configuration.
Built-in Services Cannot Be Deleted Creating Naming Conflicts
IPA includes several built-in HBAC services (login, su, sshd, etc.) that cannot be deleted. Attempting to create custom services with same names as built-in services fails. Organizations may have different PAM service naming than built-in services, causing confusion about which services to use in HBAC rules.
Use built-in HBAC services where names match PAM configuration. For custom PAM service names, create new HBAC services with distinct names. Document which built-in services exist: ipa hbacsvc-find --all. Review built-in service descriptions to understand intended use. Do not attempt to work around built-in services; align PAM configuration with built-in service names where possible for consistency.
Service Name Length Limits Truncate Long Application Names
HBAC service names have maximum length limits. Applications with very long names may require abbreviation or truncation for HBAC service names. Abbreviated names must still exactly match PAM service configuration or policy will not apply. Name truncation can create confusion about which service corresponds to which application.
Establish naming conventions accommodating length limits while maintaining clarity. Use meaningful abbreviations documented in service descriptions. Ensure PAM configuration uses same abbreviated names as HBAC services. Test that PAM service names match HBAC service names exactly after abbreviation. Document full application names in service descriptions for reference.
Wildcard or Pattern Services Not Supported
HBAC services do not support wildcard or pattern matching. Each PAM service requires explicit HBAC service definition. Organizations with many similar services (app1, app2, app3, etc.) must create individual HBAC services for each, increasing administrative overhead. Attempts to use wildcards in service names fail or create non-matching service definitions.
Accept that one-to-one mapping between PAM services and HBAC services is required. Use service groups to manage multiple related services collectively in HBAC rules. Implement automation for bulk service creation when deploying many similar applications. Consider standardizing PAM service names to reduce variation. For application families, use common PAM service name across variants where appropriate.
Service Modification Affects Active Sessions
Modifying HBAC service descriptions or attributes does not affect service name or policy evaluation, but changes replicate to all IPA servers and may affect administrative workflows. Frequent modifications create audit log noise and can mask malicious changes. Service modifications without documentation make troubleshooting historical access issues difficult.
Treat service modifications as configuration changes requiring justification and approval. Limit modifications to description updates for documentation improvements. Avoid changing service attributes unless specifically needed. Log all service modifications with business justification in change management system. Review service modification history during security audits: ipa hbacsvc-show service --all to see modification timestamps.
Missing Service Definition Bypasses Intended Access Controls
When PAM attempts to evaluate a service not defined in IPA HBAC, behavior depends on HBAC rule configuration. If no HBAC rules apply to undefined services and allow_all is disabled, access is denied (secure default). If allow_all still enabled, access is permitted (insecure). This creates inconsistent security posture depending on default rule status.
Ensure allow_all HBAC rule is disabled in production: ipa hbacrule-disable allow_all. Create comprehensive HBAC services for all PAM-enabled applications. Implement monitoring detecting PAM authentication for undefined services: parse SSSD logs for service names not in HBAC. Use deny-by-default approach with explicit allow rules. Test new application authentication against HBAC before production deployment.
Service Creation Without Corresponding PAM Configuration
Administrators may create HBAC services proactively before applications are deployed, or create services for applications that do not actually use PAM. Unused HBAC services create confusion and may be mistakenly included in HBAC rules, granting theoretical access to non-existent services. This complicates security audits and access reviews.
Create HBAC services in conjunction with actual application deployment, not proactively. Verify applications actually use PAM before creating HBAC services: check application documentation and configuration. Audit HBAC services against actual PAM configurations on systems. Remove HBAC services for applications that do not use PAM. Document which services are in active use vs planned future use.
Troubleshooting
HBAC Service Creation Fails with Duplicate Name Error
Symptom: Attempting to create HBAC service with hbacsvc-add fails with error indicating service already exists or duplicate name.
Diagnosis: Check if service already exists: ipa hbacsvc-show service-name. Verify exact service name including case. Review built-in services: ipa hbacsvc-find --all to see if built-in service has same name. Check for typos in service name.
Resolution: If service already exists, use it in HBAC rules rather than creating duplicate. If built-in service exists with same name, use built-in service. If attempting to recreate deleted service, verify deletion completed: may need to wait for replication. For case sensitivity issues, ensure using exact intended name. If service name conflicts with built-in service that cannot be deleted, use alternative name matching your PAM configuration.
Service Shows in List But Cannot Be Deleted
Symptom: HBAC service appears in hbacsvc-find output but hbacsvc-del fails with error indicating service cannot be deleted or is protected.
Diagnosis: Identify if service is built-in system service: built-in services (login, su, sshd, sudo, etc.) cannot be deleted. Check if service is referenced in HBAC rules: ipa hbacrule-find --hbacsvcs=service-name. Verify user has permissions to delete services. Check if service is member of service groups: ipa hbacsvcgroup-find --hbacsvcs=service-name.
Resolution: Accept that built-in services cannot be deleted; disable referencing HBAC rules if needed. For services referenced in HBAC rules, remove service from rules first: ipa hbacrule-remove-service rule-name --hbacsvcs=service-name. Remove service from any service groups: ipa hbacsvcgroup-remove-member group-name --hbacsvcs=service-name. Verify user has appropriate permissions: member of admins or HBAC Administrator role. After removing all references, retry deletion.
HBAC Policy Not Applying to Service
Symptom: HBAC rule configured with service but access still denied or incorrectly permitted for that service. Users report authentication failures or unexpected access patterns.
Diagnosis: Verify service name exactly matches PAM configuration: check /etc/pam.d/ for exact service file name on target system. Confirm HBAC rule is enabled: ipa hbacrule-show rule-name | grep Enabled. Test HBAC rule evaluation: ipa hbactest --service=service-name --user=username --host=hostname. Review SSSD logs on client: /var/log/sssd/sssd_*.log for HBAC evaluation details.
Resolution: Ensure HBAC service name exactly matches PAM service name (case-sensitive): if PAM uses “sshd”, HBAC service must be “sshd” not “SSH” or “ssh”. Enable HBAC rule if disabled: ipa hbacrule-enable rule-name. Verify PAM configuration includes SSSD: /etc/pam.d/service-name should contain pam_sss.so for HBAC evaluation. Clear SSSD cache on client: sss_cache -E && systemctl restart sssd. Test with hbactest to verify rule matches expected access pattern.
Service Appears in Rules But Authentication Still Fails
Symptom: Service is correctly added to HBAC rule and rule shows service in members, but authentication still fails with access denied errors.
Diagnosis: Verify rule includes all required components: users/groups, hosts/hostgroups, and services. Check if user is member of groups referenced in rule: ipa group-show groupname | grep username. Verify host is member of hostgroups: ipa hostgroup-show groupname | grep hostname. Review SSSD debug logs: increase SSSD debug level and review /var/log/sssd/sssd_*.log.
Resolution: Ensure HBAC rule includes user, host, and service components: all three must match for access. Add missing users or hosts to rule: ipa hbacrule-add-user rule-name --users=username and ipa hbacrule-add-host rule-name --hosts=hostname. Verify group memberships are current: ipa user-show username --all to see all group memberships. Check for conflicting HBAC rules that might deny access. Test with ipa hbactest to isolate which component is not matching. Verify allow_all rule is disabled if using custom rules.
Service Description Cannot Be Modified
Symptom: Attempting to change service description with hbacsvc-mod --desc fails with permission error or has no effect.
Diagnosis: Verify user has modification permissions: check if user is member of admins group or has HBAC Administrator role. Test if modification command syntax is correct: ipa hbacsvc-mod service-name --desc="New description". Check if service is built-in and has restrictions. Verify Kerberos authentication is valid: klist.
Resolution: Ensure user has appropriate permissions: ipa group-add-member admins --users=username or assign HBAC Administrator role. Use correct syntax with service name and —desc flag: ipa hbacsvc-mod myapp --desc="Updated description". Renew Kerberos ticket if expired: kinit username. For built-in services, descriptions should still be modifiable; check for custom ACIs blocking modifications. Review IPA logs: /var/log/httpd/error_log for specific error details.
Finding Services Returns No Results for Known Service
Symptom: Running hbacsvc-find service-name returns no results even though service is known to exist.
Diagnosis: Verify exact service name: case-sensitive search may not match. Check if using CRITERIA vs —service flag: hbacsvc-find CRITERIA searches all attributes. Test with different search patterns: partial name vs full name. Check if service exists at all: ipa hbacsvc-show exact-name.
Resolution: Use exact service name with proper case: ipa hbacsvc-find --service=sshd. For partial matching, use CRITERIA argument: ipa hbacsvc-find ssh searches descriptions and names. Try finding all services: ipa hbacsvc-find with no criteria to see if service appears in full list. If service definitely should exist but not found, check replication: service may be on different IPA server. Clear SSSD cache: sss_cache -E and retry. Use --all flag to see complete attribute set: ipa hbacsvc-find --all.
Service Name Too Long for Creation
Symptom: Creating HBAC service fails with error about name length or validation failure when using long application name.
Diagnosis: Check maximum service name length limits in IPA schema. Review error message for specific length constraint. Count characters in proposed service name. Compare against successfully created services with shorter names.
Resolution: Abbreviate service name to fit within length limits while maintaining uniqueness. Use meaningful abbreviations: “application-name-web-interface” might become “appname-web”. Ensure abbreviated name still matches PAM configuration: PAM service file must use same abbreviated name. Document full application name in service description: --desc="Full Application Name Web Interface". Update PAM configuration on target systems to use abbreviated service name if needed. Test that abbreviated name works with PAM: verify /etc/pam.d/abbreviated-name exists.
Service Deletion Fails Due to Service Group Membership
Symptom: Attempting to delete HBAC service fails with error indicating service is still in use or has dependencies.
Diagnosis: Check if service is member of any service groups: ipa hbacsvcgroup-find --hbacsvcs=service-name. Verify if any HBAC rules reference the service: ipa hbacrule-find --hbacsvcs=service-name. Review error message for specific dependency mentioned.
Resolution: Remove service from all service groups first: ipa hbacsvcgroup-remove-member group-name --hbacsvcs=service-name for each group. Remove service from all HBAC rules: ipa hbacrule-remove-service rule-name --hbacsvcs=service-name. After removing all references, retry deletion: ipa hbacsvc-del service-name. Verify deletion successful: ipa hbacsvc-show service-name should return not found error.
Case Mismatch Between HBAC Service and PAM Configuration
Symptom: HBAC service defined as “SSH” but authentication fails. PAM configuration uses lowercase “ssh” resulting in service name mismatch.
Diagnosis: Check exact PAM service name on target system: ls /etc/pam.d/ | grep -i ssh. Review HBAC service name in IPA: ipa hbacsvc-show SSH vs ipa hbacsvc-show ssh. Test which service name is actually being evaluated: review SSSD logs showing service name used during authentication attempt.
Resolution: Delete incorrectly-cased service: ipa hbacsvc-del SSH. Create service matching exact PAM configuration case: ipa hbacsvc-add ssh --desc="SSH service". Update HBAC rules to use correctly-cased service. Alternatively, rename PAM configuration to match HBAC service (not recommended; better to match HBAC to PAM). Establish naming convention requiring lowercase service names. Document case sensitivity in procedures. Test authentication after correction.
Built-in Service Name Conflicts with Custom Requirements
Symptom: Need to create HBAC service but built-in service with same name exists and has different description or purpose than needed.
Diagnosis: Identify that service is built-in: built-in services cannot be deleted or renamed. Review built-in service configuration: ipa hbacsvc-show service-name --all. Determine if built-in service can serve intended purpose despite different description. Check if PAM configuration can be adjusted to use different service name.
Resolution: Use built-in service for HBAC rules if functionality matches despite description differences. Update built-in service description if needed: ipa hbacsvc-mod service-name --desc="Updated description". If built-in service cannot be used, configure PAM to use alternative service name and create custom HBAC service: rename /etc/pam.d/service-name to /etc/pam.d/custom-name. Document why built-in service not used. Consider if conflict indicates misunderstanding of service purpose.
Service Modification Not Replicating to All Servers
Symptom: Service description or attributes modified on one IPA server but changes not visible on other replicas.
Diagnosis: Check replication status: ipa-replica-manage list for replication errors. Verify modification on source server: ipa hbacsvc-show service-name on server where modification was made. Compare with other replicas: run same command on each replica server. Review replication lag: check if simply a timing issue vs actual replication failure.
Resolution: Wait for replication to complete: typically 30-60 seconds for small changes. Force replication if needed: ipa-replica-manage force-sync --from=source.example.com. Verify replication health: ipa-replica-manage list should show all agreements healthy. Check for replication conflicts: ldapsearch -Y GSSAPI -b "dc=example,dc=com" "(nsds5ReplConflict=*)" and resolve. Restart IPA services on affected replica if replication stuck: ipactl restart. Monitor for recurring replication issues requiring deeper investigation.
Service Referenced in HBAC Rule Not Found During Evaluation
Symptom: HBAC rule shows service as member but hbactest or actual authentication reports service not found or not evaluated.
Diagnosis: Verify service actually exists: ipa hbacsvc-show service-name on IPA server. Check if service name in rule matches exact service name: case and spelling. Review hbactest output for specific error about service. Check SSSD cache on client: may have stale data.
Resolution: Verify exact service name in HBAC rule: ipa hbacrule-show rule-name and compare service names to ipa hbacsvc-find. Remove and re-add service to rule if name mismatch: ipa hbacrule-remove-service rule-name --hbacsvcs=old-name && ipa hbacrule-add-service rule-name --hbacsvcs=correct-name. Clear SSSD cache on clients: sss_cache -E && systemctl restart sssd. Force replication to ensure service definition propagated: ipa-replica-manage force-sync. Test again with hbactest after corrections: ipa hbactest --user=username --host=hostname --service=service-name.
Unable to View Service Due to Permission Restrictions
Symptom: Running hbacsvc-show fails with insufficient access or permission denied errors for specific service.
Diagnosis: Verify user authentication: klist to check valid Kerberos ticket. Check user’s group memberships and roles: ipa user-show $(whoami) --all. Test if issue is specific to one service or all services. Test with admin account to isolate permission vs service existence issue.
Resolution: Authenticate if no valid ticket: kinit username. For service viewing, most authenticated users should have read access. If permission denied, check if custom ACIs restrict access: ipa permission-find --type=hbacsvc. Use admin account if privileged access needed: kinit admin. Verify service actually exists: may get permission error if service name is wrong. Check for SELinux denials: ausearch -m AVC -ts recent | grep hbac. Contact IPA administrators if custom permissions are blocking legitimate access needs.