Bug 2227133

Summary: 'ipa hbactest' shows result as 'False' for overidden trusted AD account despite of correct HBAC rule in place.
Product: Red Hat Enterprise Linux 7 Reporter: Akshay Sakure <asakure>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: NEW --- QA Contact: ipa-qe
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.9CC: frenaud, rcritten, sbeal, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Akshay Sakure 2023-07-28 05:46:47 UTC 
Description of problem:
'ipa hbactest' shows result as 'False' for overidden trusted AD account despite of correct HBAC rule in place.


Version-Release number of selected component (if applicable):
RHEL 7.9


How reproducible:
Always


Steps to Reproduce:
1. Setup IPA-AD trust

2. Configure HBAC rule in IPA for trusted AD user (by assigning it to IPA POSIX group)

3. For trusted AD account, override primary group name & gidNumber. 

4. On IPA client, run 'ipa hbactest' command to check access & it shows 
---
Access granted: False  <----
---

5. However, 'sssctl user-checks' shows success for the same trusted AD account.
---
testing pam_acct_mgmt
pam_acct_mgmt: Success  <----
---

   (Note that actual access to IPA client for trusted AD user still works fine based on the HBAC rule in place)


Actual results:

'ipa hbactest' command shows incorrect result:
---
Access granted: False
---


Expected results:

Ideally, 'ipa hbactest' command should show:
---
Access granted: True
---