freeipa

Clone
Source Code
GIT

#2997 hbactest does not work with trusted users
Closed: Fixed None Opened 11 years ago by steeve.

Closed: Fixed
Reopen Issue 
[root@rasalghul ~]# ipa group-show ext_test --all
  dn: cn=ext_test,cn=groups,cn=accounts,dc=ipalab,dc=qe
  Group name: ext_test
  Description: External test group
  Member of groups: local_ipa_group
  Indirect Member of HBAC rule: fuser_sshd
  ipaexternalmember: S-1-5-21-3655990580-1375374850-1633065477-1104,
                     S-1-5-21-3655990580-1375374850-1633065477-1106,
                     S-1-5-21-3655990580-1375374850-1633065477-513
  ipauniqueid: b022c278-dfd4-11e1-990d-525400f8a02f
  objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, ipaexternalgroup

[root@rasalghul ~]# ipa group-show local_ipa_group
  Group name: local_ipa_group
  Description: Local IPA Group
  GID: 592000004
  Member groups: ext_test
  Member of HBAC rule: fuser_sshd

[root@rasalghul ~]# ipa hbacsvcgroup-show sshders
  Service group name: sshders
  Description: Default group for ssh
  Member HBAC service: sshd

[root@rasalghul ~]# ipa hbacrule-find
--------------------
2 HBAC rules matched
--------------------
  Rule name: allow_all
  User category: all
  Host category: all
  Source host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: FALSE

  Rule name: fuser_sshd
  Host category: all
  Source host category: all
  Enabled: TRUE
  User Groups: local_ipa_group
  Service Groups: sshders
----------------------------
Number of entries returned 2
----------------------------

[root@rasalghul ~]# ipa hbactest
User name: S-1-5-21-3655990580-1375374850-1633065477-513
Target host: rasalghul.ipalab.qe
Service: sshd
---------------------
Access granted: False
---------------------
  Not matched rules: fuser_sshd

[root@rasalghul ~]# ipa hbactest
User name: S-1-5-21-3655990580-1375374850-1633065477-1104
Target host: rasalghul.ipalab.qe
Service: sshd
---------------------
Access granted: False
---------------------
  Not matched rules: fuser_sshd

[root@rasalghul ~]# rpm -qa | grep freeipa-server
freeipa-server-selinux-2.99.0-0.20120812T2023Zgit94d457e.fc17.x86_64
freeipa-server-trust-ad-2.99.0-0.20120812T2023Zgit94d457e.fc17.x86_64
freeipa-server-2.99.0-0.20120812T2023Zgit94d457e.fc17.x86_64

Can you test to see if these rules actually work when logging into a system?

IPA should be using the same evaluation library as sssd, so this may be an sssd bug.

Replying to [comment:1 rcritten]:

Can you test to see if these rules actually work when logging into a system?

IPA should be using the same evaluation library as sssd, so this may be an sssd bug.
The rules work, its only the hbac test that is not evaluating correctly

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=848531

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=848532

Patch freeipa-mkosek-354-add-support-for-ad-users-to-hbactest-command.patch sent for review

master:[[BR]]
b8079f9 Fix hbachelp examples formatting[[BR]]
85d16ad Add support for AD users to hbactest command[[BR]]
d79aac8 Do not hide SID resolver error in group-add-member[[BR]]
e60e80e Generalize AD GC search[[BR]]

ipa-3-1:[[BR]]
2f52d04 Fix hbachelp examples formatting[[BR]]
0946e6f Add support for AD users to hbactest command[[BR]]
7a01ecb Do not hide SID resolver error in group-add-member[[BR]]
406d929 Generalize AD GC search[[BR]]

Rename "trusts" component to "Trusts" to achieve correct sorting.

Metadata Update from @steeve:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 3.2 - 2013/02
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
None
None
Trusts
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=848531, https://bugzilla.redhat.com/show_bug.cgi?id=848532
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.