[root@rasalghul ~]# ipa group-show ext_test --all dn: cn=ext_test,cn=groups,cn=accounts,dc=ipalab,dc=qe Group name: ext_test Description: External test group Member of groups: local_ipa_group Indirect Member of HBAC rule: fuser_sshd ipaexternalmember: S-1-5-21-3655990580-1375374850-1633065477-1104, S-1-5-21-3655990580-1375374850-1633065477-1106, S-1-5-21-3655990580-1375374850-1633065477-513 ipauniqueid: b022c278-dfd4-11e1-990d-525400f8a02f objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, ipaexternalgroup [root@rasalghul ~]# ipa group-show local_ipa_group Group name: local_ipa_group Description: Local IPA Group GID: 592000004 Member groups: ext_test Member of HBAC rule: fuser_sshd [root@rasalghul ~]# ipa hbacsvcgroup-show sshders Service group name: sshders Description: Default group for ssh Member HBAC service: sshd [root@rasalghul ~]# ipa hbacrule-find -------------------- 2 HBAC rules matched -------------------- Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: FALSE Rule name: fuser_sshd Host category: all Source host category: all Enabled: TRUE User Groups: local_ipa_group Service Groups: sshders ---------------------------- Number of entries returned 2 ---------------------------- [root@rasalghul ~]# ipa hbactest User name: S-1-5-21-3655990580-1375374850-1633065477-513 Target host: rasalghul.ipalab.qe Service: sshd --------------------- Access granted: False --------------------- Not matched rules: fuser_sshd [root@rasalghul ~]# ipa hbactest User name: S-1-5-21-3655990580-1375374850-1633065477-1104 Target host: rasalghul.ipalab.qe Service: sshd --------------------- Access granted: False --------------------- Not matched rules: fuser_sshd [root@rasalghul ~]# rpm -qa | grep freeipa-server freeipa-server-selinux-2.99.0-0.20120812T2023Zgit94d457e.fc17.x86_64 freeipa-server-trust-ad-2.99.0-0.20120812T2023Zgit94d457e.fc17.x86_64 freeipa-server-2.99.0-0.20120812T2023Zgit94d457e.fc17.x86_64
Can you test to see if these rules actually work when logging into a system?
IPA should be using the same evaluation library as sssd, so this may be an sssd bug.
Replying to [comment:1 rcritten]:
Can you test to see if these rules actually work when logging into a system? IPA should be using the same evaluation library as sssd, so this may be an sssd bug. The rules work, its only the hbac test that is not evaluating correctly
IPA should be using the same evaluation library as sssd, so this may be an sssd bug. The rules work, its only the hbac test that is not evaluating correctly
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=848531
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=848532
attachment freeipa-mkosek-354-add-support-for-ad-users-to-hbactest-command.patch
Patch freeipa-mkosek-354-add-support-for-ad-users-to-hbactest-command.patch sent for review
master:[[BR]] b8079f9 Fix hbachelp examples formatting[[BR]] 85d16ad Add support for AD users to hbactest command[[BR]] d79aac8 Do not hide SID resolver error in group-add-member[[BR]] e60e80e Generalize AD GC search[[BR]]
ipa-3-1:[[BR]] 2f52d04 Fix hbachelp examples formatting[[BR]] 0946e6f Add support for AD users to hbactest command[[BR]] 7a01ecb Do not hide SID resolver error in group-add-member[[BR]] 406d929 Generalize AD GC search[[BR]]
Rename "trusts" component to "Trusts" to achieve correct sorting.
Metadata Update from @steeve: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.2 - 2013/02
Login to comment on this ticket.