https://bugzilla.redhat.com/show_bug.cgi?id=732996
Description of problem: Version-Release number of selected component (if applicable): ipa-server-2.1.0-1.20110823T0253zgit3a9f626.el6.x86_64 How reproducible: Steps to Reproduce: 1. By default we have ftp as one of the services. # ipa hbacsvc-show ftp --all dn: cn=ftp,cn=hbacservices,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Service name: ftp Description: ftp ipauniqueid: 982c8bec-cd6d-11e0-b011-525400deab7b objectclass: ipahbacservice, ipaobject 2. However, using this service in a hbacrule fails since the service that we look for from the ipa-client is "service: vsftpd". Actual results: <snip> (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler] (4): Got request with the following data (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): command: PAM_AUTHENTICATE (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): domain: lab.eng.pnq.redhat.com (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): user: user1 (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): service: vsftpd <<<<<<<<<<<< (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): tty: ftp (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): ruser: user1 (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): rhost: ironhide.lab.eng.pnq.redhat.com (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): authtok type: 1 (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): authtok size: 10 (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): newauthtok type: 0 (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): newauthtok size: 0 (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): priv: 0 (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): cli_pid: 11265 </snip> and [ipa_hbac_evaluate_rules] (3): Access denied by HBAC rules Expected results: like we have for ssh: # ipa hbacsvc-show sshd --all dn: cn=sshd,cn=hbacservices,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Service name: sshd Description: sshd ipauniqueid: 982b3eb8-cd6d-11e0-ad6e-525400deab7b objectclass: ipahbacservice, ipaobject we should have vsftpd service instead of ftp. Additional info: Adding hbac service name as "Service name: vsftpd" works as expected.
attachment freeipa-rcrit-854-ftp.patch
Note that the service ftp isn't wrong, the ftp server in RHEL just doesn't use that as its pam service name. What we needed to do was add a pam service for vsftpd.
master: a6b3309
ipa-2-1: 40c60c8
Metadata Update from @mkosek: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.1.1 (bug fixing)
Login to comment on this ticket.