Bug 741767

Summary: HBAC: typos preventing proper hostgroup evaluation
Product: [Fedora] Fedora Reporter: Jr Aquino <jr.aquino>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 15CC: dpal, jhrozek, sbose, sgallagh, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.5.14-3.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-02 14:50:54 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 741751, 748883    
Bug Blocks:    

Description Jr Aquino 2011-09-27 16:17:13 EDT
Description of problem:
Two typos in sssd broke host group support in the HBAC rewrite.

Version-Release number of selected component (if applicable):
sssd-1.5

How reproducible:
100%

Steps to Reproduce:
1. Create FreeIPA hbacrule with a posixgroup and hostgroup.
2. Try to ssh into a host which is a member of the hostgroup
3. Authorization is denied
  
Actual results:
HBAC Rule doesn't match the host due to typos

Expected results:
HBAC Rule Permits the login

Additional info:
Comment 1 Dmitri Pal 2011-09-27 18:21:53 EDT
Can you provide an example of the typo? Is it the typo in the rule values on the server or something else?
Comment 2 Jr Aquino 2011-09-27 18:27:57 EDT
This is addressed by Stephen Gallagher's patch.  It just needs to make sure it finds its way up into Redhat for 5.x and 6.x fixes as it is a blocking issue.

The typo was looking in the wrong container for hbac hostgroups if I understand correctly.

From 52debcfac8f73629cd7ad3dabc428c3a6a652ba4 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 27 Sep 2011 15:04:33 -0400
Subject: [PATCH] HBAC: fix typos preventing proper hostgroup evaluation

---
 src/providers/ipa/ipa_hbac_common.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
index a9be90b846d7b6ae2e8b59a6d4446294ca90d78a..97784c02c7d0cbf8bc061cdd1ee451d926522ca6 100644
--- a/src/providers/ipa/ipa_hbac_common.c
+++ b/src/providers/ipa/ipa_hbac_common.c
@@ -805,7 +805,7 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx,
     struct ldb_message **msgs;
     const char *group_name;
     struct ldb_dn *host_dn;
-    const char *attrs[] = { IPA_HOST_FQDN, NULL };
+    const char *attrs[] = { IPA_CN, NULL };
     const char *host_filter;
 
     tmp_ctx = talloc_new(mem_ctx);
@@ -842,7 +842,7 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx,
     }
 
     host_dn = sysdb_custom_dn(sysdb, tmp_ctx, domain->name,
-                             host->name, HBAC_SERVICES_SUBDIR);
+                             host->name, HBAC_HOSTS_SUBDIR);
     if (host_dn == NULL) {
         ret = ENOMEM;
         goto done;
@@ -867,7 +867,7 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx,
 
     for (i = 0; i < count; i++) {
         group_name = ldb_msg_find_attr_as_string(msgs[i],
-                                                 IPA_HOST_FQDN,
+                                                 IPA_CN,
                                                  NULL);
         if (group_name == NULL) {
             DEBUG(1, ("Group with no name?\n"));
-- 
1.7.6.2
Comment 3 Jakub Hrozek 2011-10-20 10:31:35 EDT
This was fixed upstream in https://fedorahosted.org/sssd/ticket/1018 and will be fixed in 1.5.14/1.6.2