Bug 678032

Summary: Remove HBAC time rules from SSSD
Product: Red Hat Enterprise Linux 5 Reporter: Stephen Gallagher <sgallagh>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 5.6CC: benl, grajaiya, jgalipea, jwest, nsoman, prc
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.5.1-7.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 676401 Environment:
Last Closed: 2011-07-21 08:10:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 676401    
Bug Blocks: 712137    

Comment 2 Namita Soman 2011-05-13 18:24:25 UTC 
verified using 
ipa-server-2.0.0-23.el6.x86_64
ipa-client-2.0-14.el5

steps:
# ipa hbacrule-add 
Rule name: denyssh
Rule type: deny
-------------------------
Added HBAC rule "denyssh"
-------------------------
  Rule name: denyssh
  Rule type: deny
  Enabled: TRUE

# ipa  hbacrule-add-host 
Rule name: denyssh
[host]: ipaqa64vma.testrelm
[hostgroup]: 
  Rule name: denyssh
  Rule type: deny
  Enabled: TRUE
  Hosts: ipaqa64vma.testrelm
-------------------------
Number of members added 1
-------------------------

# ipa  hbacrule-add-user
Rule name: denyssh
[user]: one
[group]: 
  Rule name: denyssh
  Rule type: deny
  Enabled: TRUE
  Users: one
  Hosts: ipaqa64vma.testrelm
-------------------------
Number of members added 1
-------------------------

# ipa  hbacrule-add-service
Rule name: denyssh
[hbacsvc]: sshd
[hbacsvcgroup]: 
  Rule name: denyssh
  Rule type: deny
  Enabled: TRUE
  Users: one
  Hosts: ipaqa64vma.testrelm
  Services: sshd
-------------------------
Number of members added 1
-------------------------



Followed the same steps to add a rule allowssh:
# ipa hbacrule-show --all
Rule name: allowssh
  dn: ipauniqueid=0e6974f8-7d89-11e0-a2d2-021016980183,cn=hbac,dc=testrelm
  Rule name: allowssh
  Rule type: allow
  Source host category: all
  Enabled: TRUE
  Users: two
  Hosts: ipaqa64vma.testrelm
  Services: sshd
  ipauniqueid: 0e6974f8-7d89-11e0-a2d2-021016980183
  memberindirect: fqdn=ipaqa64vma.testrelm,cn=computers,cn=accounts,dc=testrelm, uid=two,cn=users,cn=accounts,dc=testrelm
  objectclass: ipaassociation, ipahbacrule

#ipa hbacrule-mod --srchostcat=all  allowssh

# ipa  hbacrule-disable allow_all
------------------------------
Disabled HBAC rule "allow_all"
------------------------------


ssh one
one's password: 
Connection closed by 10.16.98.182


and user two could ssh successfully.
Comment 4 errata-xmlrpc 2011-07-21 08:10:49 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0975.html