Bug 678091

Summary: SSSD in 6.0 can not locate HBAC rules from FreeIPAv2
Product: Red Hat Enterprise Linux 6 Reporter: Stephen Gallagher <sgallagh>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.0CC: benl, grajaiya, jgalipea, prc
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.5.1-6.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 678092 (view as bug list) Environment:
Last Closed: 2011-05-19 11:39:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 678092    

Description Stephen Gallagher 2011-02-16 17:20:16 UTC 
Description of problem:
SSSD shipped in 6.0 with the expectation that HBAC rules would be stored in the cn=account subtree of FreeIPAv2. However, the final version of the schema stores them in cn=hbac instead. So right now, there are no rules accepted (which means denial of all)

Version-Release number of selected component (if applicable):
sssd-1.2.1-28.el6_0.4

How reproducible:
Every time

Steps to Reproduce:
1. Set up a FreeIPA v2 server with one or more HBAC rules
2. Point an SSSD client at this server, with access_provider=ipa
  
Actual results:
User is always denied

Expected results:
Denial/permission should be based on the access control rules

Additional info:
Comment 4 Jenny Severance 2011-03-01 15:57:45 UTC 
Verified

server
ipa-server-2.0.0-13.el6.x86_64

client:
ipa-client-2.0.0-13.el6.x86_64
sssd-1.5.1-10.el6.x86_64

[root@ipaqavmh ~]# ipa hbacrule-show testdenyssh
  Rule name: testdenyssh
  Rule type: deny
  Source host category: all
  Description: test deny
  Enabled: TRUE
  Users: mmouse
  Hosts: ipaqavmh.rhts.eng.bos.redhat.com
  Services: sshd


Mar  1 10:04:21 ipaqavmh sshd[13984]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=hp-dl180g6-01.rhts.eng.bos.redhat.com user=mmouse
Mar  1 10:04:21 ipaqavmh sshd[13984]: pam_sss(sshd:account): Access denied for
user mmouse: 6 (Permission denied
Comment 5 errata-xmlrpc 2011-05-19 11:39:47 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html
Comment 6 errata-xmlrpc 2011-05-19 13:09:36 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html