Bug 741751
Summary: | HBAC rule evaluation does not properly handle host groups | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Stephen Gallagher <sgallagh> | |
Component: | sssd | Assignee: | Stephen Gallagher <sgallagh> | |
Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> | |
Severity: | urgent | Docs Contact: | ||
Priority: | urgent | |||
Version: | 6.2 | CC: | dpal, grajaiya, jgalipea, jhrozek, prc, syeghiay | |
Target Milestone: | rc | |||
Target Release: | 6.2 | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | sssd-1.5.1-53.el6 | Doc Type: | Bug Fix | |
Doc Text: |
Do not document
|
Story Points: | --- | |
Clone Of: | ||||
: | 748883 (view as bug list) | Environment: | ||
Last Closed: | 2011-12-06 16:40:16 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 741767, 748883 |
Description
Stephen Gallagher
2011-09-27 19:58:15 UTC
Upstream ticket: https://fedorahosted.org/sssd/ticket/1018 Server: [root@bumblebee ~]# ipa hostgroup-find ------------------- 1 hostgroup matched ------------------- Host-group: hostgrp1 Description: test Member hosts: mudflap.lab.eng.pnq.redhat.com ---------------------------- [root@bumblebee ~]# ipa hbacrule-find -------------------- 2 HBAC rules matched -------------------- Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: FALSE Rule name: rule1 Enabled: TRUE Groups: ipausers Hosts: bumblebee.lab.eng.pnq.redhat.com Source host groups: hostgrp1 Services: sshd ---------------------------- Client: [root@mudflap ~]# ssh -l shanks bumblebee.lab.eng.pnq.redhat.com shanks.eng.pnq.redhat.com's password: Last login: Thu Oct 6 07:40:33 2011 from mudflap.lab.eng.pnq.redhat.com Server: [root@bumblebee ~]# ipa hbacrule-disable rule1 -------------------------- Disabled HBAC rule "rule1" -------------------------- [root@bumblebee ~]# ipa hbacrule-find -------------------- 2 HBAC rules matched -------------------- Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: FALSE Rule name: rule1 Enabled: FALSE Groups: ipausers Hosts: bumblebee.lab.eng.pnq.redhat.com Source host groups: hostgrp1 Services: sshd ---------------------------- Client: [root@mudflap ~]# ssh -l shanks bumblebee.lab.eng.pnq.redhat.com shanks.eng.pnq.redhat.com's password: Connection closed by 10.65.201.64 Verified. ipa-server-2.1.1-4.el6.x86_64 sssd-1.5.1-53.el6.x86_64 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Do not document Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1529.html |