Bug 736276

Summary: ipa hbactest fails if sourcehost is external.
Product: Red Hat Enterprise Linux 6 Reporter: Gowrishankar Rajaiyan <grajaiya>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: benl, dpal, jgalipea, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.1.2-1.el6 Doc Type: Bug Fix
Doc Text:
Do not document
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 18:30:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gowrishankar Rajaiyan 2011-09-07 08:59:59 UTC
Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.1.0-105.20110905T0552zgit5d9756d.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create an hbacrule as:
# ipa hbacrule-show rule2 --all
  dn: ipauniqueid=bcc94bbe-d91d-11e0-aafb-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Rule name: rule2
  Enabled: TRUE
  Users: shanks
  Hosts: bumblebee.lab.eng.pnq.redhat.com
  Source hosts: mudflap.lab.eng.pnq.redhat.com
  Services: vsftpd
  accessruletype: allow
  ipauniqueid: bcc94bbe-d91d-11e0-aafb-525400deab7b
  objectclass: ipaassociation, ipahbacrule

2. Add external host as source host.
ipa hbacrule-add-sourcehost rule2 --hosts=external.lab.eng.pnq.redhat.com

3. # ipa hbacrule-show rule2 --all
  dn: ipauniqueid=bcc94bbe-d91d-11e0-aafb-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Rule name: rule2
  Enabled: TRUE
  Users: shanks
  Hosts: bumblebee.lab.eng.pnq.redhat.com
  Source hosts: mudflap.lab.eng.pnq.redhat.com
  Services: vsftpd
  External host: external.lab.eng.pnq.redhat.com
  accessruletype: allow
  ipauniqueid: bcc94bbe-d91d-11e0-aafb-525400deab7b
  objectclass: ipaassociation, ipahbacrule

4. ipa hbactest --user=shanks --srchost=external.lab.eng.pnq.redhat.com --host=bumblebee.lab.eng.pnq.redhat.com --service=vsftpd --rule=rule2
  
Actual results:
# ipa hbactest --user=shanks --srchost=external.lab.eng.pnq.redhat.com --host=bumblebee.lab.eng.pnq.redhat.com --service=vsftpd --rule=rule2
---------------------
Access granted: False
---------------------
  notmatched: rule2


Expected results:
# ipa hbactest --user=shanks --srchost=external.lab.eng.pnq.redhat.com --host=bumblebee.lab.eng.pnq.redhat.com --service=vsftpd --rule=rule2
---------------------
Access granted: True
---------------------
  matched: rule2

Additional info:

Comment 2 Martin Kosek 2011-09-07 10:11:37 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1763

Comment 4 Gowrishankar Rajaiyan 2011-09-27 06:30:33 UTC
*** Bug 740860 has been marked as a duplicate of this bug. ***

Comment 7 Gowrishankar Rajaiyan 2011-10-08 13:04:35 UTC
[root@bumblebee ~]#  ipa hbacrule-show rule2 --all
  dn: ipauniqueid=6610ff46-f1e2-11e0-b1e8-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Rule name: rule2
  Enabled: TRUE
  Users: shanks
  Hosts: bumblebee.lab.eng.pnq.redhat.com
  Source Hosts: mudflap.lab.eng.pnq.redhat.com
  Services: vsftpd
  accessruletype: allow
  ipauniqueid: 6610ff46-f1e2-11e0-b1e8-525400deab7b
  objectclass: ipaassociation, ipahbacrule
[root@bumblebee ~]# 

[root@bumblebee ~]# ipa hbacrule-add-sourcehost rule2 --hosts=external.lab.eng.pnq.redhat.com
  Rule name: rule2
  Enabled: TRUE
  Users: shanks
  Hosts: bumblebee.lab.eng.pnq.redhat.com
  Source Hosts: mudflap.lab.eng.pnq.redhat.com
  Services: vsftpd
  External host: external.lab.eng.pnq.redhat.com
-------------------------
Number of members added 1
-------------------------

[root@bumblebee ~]# ipa hbacrule-show rule2 --all
  dn: ipauniqueid=6610ff46-f1e2-11e0-b1e8-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Rule name: rule2
  Enabled: TRUE
  Users: shanks
  Hosts: bumblebee.lab.eng.pnq.redhat.com
  Source Hosts: mudflap.lab.eng.pnq.redhat.com
  Services: vsftpd
  External host: external.lab.eng.pnq.redhat.com
  accessruletype: allow
  ipauniqueid: 6610ff46-f1e2-11e0-b1e8-525400deab7b
  objectclass: ipaassociation, ipahbacrule
[root@bumblebee ~]# 

[root@bumblebee ~]# ipa hbactest --user=shanks --srchost=external.lab.eng.pnq.redhat.com --host=bumblebee.lab.eng.pnq.redhat.com --service=vsftpd --rule=rule2
--------------------
Access granted: True
--------------------
  matched: rule2
[root@bumblebee ~]# 


Verified.
[root@bumblebee ~]# rpm -qi ipa-server
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.2                             Vendor: Red Hat, Inc.
Release     : 2.el6                         Build Date: Fri 07 Oct 2011 05:09:04 PM EDT
Install Date: Sat 08 Oct 2011 07:36:33 AM EDT      Build Host: x86-001.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.2-2.el6.src.rpm
Size        : 3363225                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server

Comment 8 Martin Kosek 2011-11-01 13:18:35 UTC
hbactest is post-6.1 feature.

Comment 9 Martin Kosek 2011-11-01 13:18:35 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document

Comment 10 errata-xmlrpc 2011-12-06 18:30:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html