https://bugzilla.redhat.com/show_bug.cgi?id=736276
Description of problem: Version-Release number of selected component (if applicable): ipa-server-2.1.0-105.20110905T0552zgit5d9756d.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Create an hbacrule as: # ipa hbacrule-show rule2 --all dn: ipauniqueid=bcc94bbe-d91d-11e0-aafb-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Rule name: rule2 Enabled: TRUE Users: shanks Hosts: bumblebee.lab.eng.pnq.redhat.com Source hosts: mudflap.lab.eng.pnq.redhat.com Services: vsftpd accessruletype: allow ipauniqueid: bcc94bbe-d91d-11e0-aafb-525400deab7b objectclass: ipaassociation, ipahbacrule 2. Add external host as source host. ipa hbacrule-add-sourcehost rule2 --hosts=external.lab.eng.pnq.redhat.com 3. # ipa hbacrule-show rule2 --all dn: ipauniqueid=bcc94bbe-d91d-11e0-aafb-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Rule name: rule2 Enabled: TRUE Users: shanks Hosts: bumblebee.lab.eng.pnq.redhat.com Source hosts: mudflap.lab.eng.pnq.redhat.com Services: vsftpd External host: external.lab.eng.pnq.redhat.com accessruletype: allow ipauniqueid: bcc94bbe-d91d-11e0-aafb-525400deab7b objectclass: ipaassociation, ipahbacrule 4. ipa hbactest --user=shanks --srchost=external.lab.eng.pnq.redhat.com --host=bumblebee.lab.eng.pnq.redhat.com --service=vsftpd --rule=rule2 Actual results: # ipa hbactest --user=shanks --srchost=external.lab.eng.pnq.redhat.com --host=bumblebee.lab.eng.pnq.redhat.com --service=vsftpd --rule=rule2 --------------------- Access granted: False --------------------- notmatched: rule2 Expected results: # ipa hbactest --user=shanks --srchost=external.lab.eng.pnq.redhat.com --host=bumblebee.lab.eng.pnq.redhat.com --service=vsftpd --rule=rule2 --------------------- Access granted: True --------------------- matched: rule2 Additional info:
Depends on https://fedorahosted.org/sssd/ticket/990 (committed to SSSD master already, not released). Once SSSD with the fix is released, hbactest should start working automagically as all decision-making is done at SSSD side.
Patch posted for review
master: 261a41b[[BR]] ipa-2-1: e77bc92
We missed a pylint false positive. Pushed as one-liner:
master: a40d4d4[[BR]] ipa-2-1: 7c50d17
Metadata Update from @mkosek: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 2.1.2 (bug fixing)
Login to comment on this ticket.