freeipa

Clone
Source Code
GIT

#1703 Access denied by HBAC rules while using the default ftp hbac service.
Closed: Fixed None Opened 12 years ago by mkosek.

Closed: Fixed
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=732996

Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.1.0-1.20110823T0253zgit3a9f626.el6.x86_64

How reproducible:


Steps to Reproduce:
1. By default we have ftp as one of the services.
# ipa hbacsvc-show ftp --all 
  dn: cn=ftp,cn=hbacservices,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Service name: ftp
  Description: ftp
  ipauniqueid: 982c8bec-cd6d-11e0-b011-525400deab7b
  objectclass: ipahbacservice, ipaobject

2. However, using this service in a hbacrule fails since the service that we look for from the ipa-client is "service: vsftpd".

Actual results:

<snip>
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler] (4): Got request with the following data
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): command: PAM_AUTHENTICATE
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): domain: lab.eng.pnq.redhat.com
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): user: user1
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): service: vsftpd  <<<<<<<<<<<<
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): tty: ftp
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): ruser: user1
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): rhost: ironhide.lab.eng.pnq.redhat.com
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): authtok type: 1
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): authtok size: 10
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): newauthtok type: 0
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): newauthtok size: 0
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): priv: 0
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): cli_pid: 11265
</snip>

and

[ipa_hbac_evaluate_rules] (3): Access denied by HBAC rules

Expected results:
like we have for ssh:
# ipa hbacsvc-show sshd --all 
  dn: cn=sshd,cn=hbacservices,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Service name: sshd
  Description: sshd
  ipauniqueid: 982b3eb8-cd6d-11e0-ad6e-525400deab7b
  objectclass: ipahbacservice, ipaobject

we should have vsftpd service instead of ftp.

Additional info:

Adding hbac service name as "Service name: vsftpd" works as expected.

Note that the service ftp isn't wrong, the ftp server in RHEL just doesn't use that as its pam service name. What we needed to do was add a pam service for vsftpd.

master: a6b3309

ipa-2-1: 40c60c8

Metadata Update from @mkosek:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.1.1 (bug fixing)
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=732996
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.