| Summary: | HBAC rule evaluation does not properly handle host groups | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Stephen Gallagher <sgallagh> | |
| Component: | sssd | Assignee: | Stephen Gallagher <sgallagh> | |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 6.2 | CC: | dpal, grajaiya, jgalipea, jhrozek, prc, syeghiay | |
| Target Milestone: | rc | |||
| Target Release: | 6.2 | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | sssd-1.5.1-53.el6 | Doc Type: | Bug Fix | |
| Doc Text: |
Do not document
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 748883 (view as bug list) | Environment: | ||
| Last Closed: | 2011-12-06 16:40:16 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 741767, 748883 | |||
|
Description
Stephen Gallagher
2011-09-27 19:58:15 UTC
Upstream ticket: https://fedorahosted.org/sssd/ticket/1018 Server: [root@bumblebee ~]# ipa hostgroup-find ------------------- 1 hostgroup matched ------------------- Host-group: hostgrp1 Description: test Member hosts: mudflap.lab.eng.pnq.redhat.com ---------------------------- [root@bumblebee ~]# ipa hbacrule-find -------------------- 2 HBAC rules matched -------------------- Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: FALSE Rule name: rule1 Enabled: TRUE Groups: ipausers Hosts: bumblebee.lab.eng.pnq.redhat.com Source host groups: hostgrp1 Services: sshd ---------------------------- Client: [root@mudflap ~]# ssh -l shanks bumblebee.lab.eng.pnq.redhat.com shanks.eng.pnq.redhat.com's password: Last login: Thu Oct 6 07:40:33 2011 from mudflap.lab.eng.pnq.redhat.com Server: [root@bumblebee ~]# ipa hbacrule-disable rule1 -------------------------- Disabled HBAC rule "rule1" -------------------------- [root@bumblebee ~]# ipa hbacrule-find -------------------- 2 HBAC rules matched -------------------- Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: FALSE Rule name: rule1 Enabled: FALSE Groups: ipausers Hosts: bumblebee.lab.eng.pnq.redhat.com Source host groups: hostgrp1 Services: sshd ---------------------------- Client: [root@mudflap ~]# ssh -l shanks bumblebee.lab.eng.pnq.redhat.com shanks.eng.pnq.redhat.com's password: Connection closed by 10.65.201.64 Verified. ipa-server-2.1.1-4.el6.x86_64 sssd-1.5.1-53.el6.x86_64
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Do not document
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1529.html |