Bug 732996
Summary: | Access denied by HBAC rules while using the default ftp hbac service. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Gowrishankar Rajaiyan <grajaiya> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.2 | CC: | benl, jgalipea, mkosek |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-2.1.1-1.el6 | Doc Type: | Bug Fix |
Doc Text: |
Do not document
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2011-12-06 18:30:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Gowrishankar Rajaiyan
2011-08-24 12:18:49 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/1703 fixed upstream. Added new HBAC service for vsftpd as well as a few other ftp servers available, and created a hbac service group for ftp master: a6b3309fe6a4767cab620a5b74d38db68880185f ipa-2-1: 40c60c89efb9723edbe4394080b1f5c080cabacf Server: [root@bumblebee ~]# ipa hostgroup-show hostgrp1 Host-group: hostgrp1 Description: test Member hosts: mudflap.lab.eng.pnq.redhat.com [root@bumblebee ~]# ipa hbacsvcgroup-show ftp Service group name: ftp Description: Default group of ftp related services Member HBAC service: ftp, proftpd, pure-ftpd, gssftp, vsftpd [root@bumblebee ~]# ipa hbacrule-find -------------------- 2 HBAC rules matched -------------------- Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: FALSE Rule name: rule1 Enabled: TRUE Groups: ipausers Hosts: bumblebee.lab.eng.pnq.redhat.com Source host groups: hostgrp1 Service Groups: ftp ---------------------------- Client: [root@mudflap ~]# ftp bumblebee.lab.eng.pnq.redhat.com Connected to bumblebee.lab.eng.pnq.redhat.com (10.65.201.64). 220 (vsFTPd 2.2.2) Name (bumblebee.lab.eng.pnq.redhat.com:root): shanks 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> Server: [root@bumblebee ~]# ipa hbacrule-find -------------------- 2 HBAC rules matched -------------------- Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: FALSE Rule name: rule1 Enabled: FALSE Groups: ipausers Hosts: bumblebee.lab.eng.pnq.redhat.com Source host groups: hostgrp1 Service Groups: ftp ---------------------------- Client: [root@mudflap ~]# ftp bumblebee.lab.eng.pnq.redhat.com Connected to bumblebee.lab.eng.pnq.redhat.com (10.65.201.64). 220 (vsFTPd 2.2.2) Name (bumblebee.lab.eng.pnq.redhat.com:root): shanks 331 Please specify the password. Password: 530 Login incorrect. Login failed. ftp> q /var/log/secure: Oct 6 13:22:17 bumblebee vsftpd[9285]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=shanks rhost=mudflap.lab.eng.pnq.redhat.com user=shanks Oct 6 13:22:18 bumblebee vsftpd[9285]: pam_sss(vsftpd:auth): authentication success; logname= uid=0 euid=0 tty=ftp ruser=shanks rhost=mudflap.lab.eng.pnq.redhat.com user=shanks Oct 6 13:22:18 bumblebee vsftpd[9285]: pam_sss(vsftpd:account): Access denied for user shanks: 6 (Permission denied) Verified: ipa-server-2.1.1-4.el6.x86_64 sssd-1.5.1-53.el6.x86_64 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Do not document Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html |