Bug 741767

Summary:	HBAC: typos preventing proper hostgroup evaluation
Product:	[Fedora] Fedora	Reporter:	Jr Aquino <jr.aquino>
Component:	sssd	Assignee:	Stephen Gallagher <sgallagh>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	15	CC:	dpal, jhrozek, sbose, sgallagh, ssorce
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	sssd-1.5.14-3.fc15	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-11-02 18:50:54 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Bug Depends On:	741751, 748883
Bug Blocks:

Description Jr Aquino 2011-09-27 20:17:13 UTC

Description of problem:
Two typos in sssd broke host group support in the HBAC rewrite.

Version-Release number of selected component (if applicable):
sssd-1.5

How reproducible:
100%

Steps to Reproduce:
1. Create FreeIPA hbacrule with a posixgroup and hostgroup.
2. Try to ssh into a host which is a member of the hostgroup
3. Authorization is denied
  
Actual results:
HBAC Rule doesn't match the host due to typos

Expected results:
HBAC Rule Permits the login

Additional info:

Comment 1 Dmitri Pal 2011-09-27 22:21:53 UTC

Can you provide an example of the typo? Is it the typo in the rule values on the server or something else?

Comment 2 Jr Aquino 2011-09-27 22:27:57 UTC

This is addressed by Stephen Gallagher's patch.  It just needs to make sure it finds its way up into Redhat for 5.x and 6.x fixes as it is a blocking issue.

The typo was looking in the wrong container for hbac hostgroups if I understand correctly.

From 52debcfac8f73629cd7ad3dabc428c3a6a652ba4 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh>
Date: Tue, 27 Sep 2011 15:04:33 -0400
Subject: [PATCH] HBAC: fix typos preventing proper hostgroup evaluation

---
 src/providers/ipa/ipa_hbac_common.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
index a9be90b846d7b6ae2e8b59a6d4446294ca90d78a..97784c02c7d0cbf8bc061cdd1ee451d926522ca6 100644
--- a/src/providers/ipa/ipa_hbac_common.c
+++ b/src/providers/ipa/ipa_hbac_common.c
@@ -805,7 +805,7 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx,
     struct ldb_message **msgs;
     const char *group_name;
     struct ldb_dn *host_dn;
-    const char *attrs[] = { IPA_HOST_FQDN, NULL };
+    const char *attrs[] = { IPA_CN, NULL };
     const char *host_filter;
 
     tmp_ctx = talloc_new(mem_ctx);
@@ -842,7 +842,7 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx,
     }
 
     host_dn = sysdb_custom_dn(sysdb, tmp_ctx, domain->name,
-                             host->name, HBAC_SERVICES_SUBDIR);
+                             host->name, HBAC_HOSTS_SUBDIR);
     if (host_dn == NULL) {
         ret = ENOMEM;
         goto done;
@@ -867,7 +867,7 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx,
 
     for (i = 0; i < count; i++) {
         group_name = ldb_msg_find_attr_as_string(msgs[i],
-                                                 IPA_HOST_FQDN,
+                                                 IPA_CN,
                                                  NULL);
         if (group_name == NULL) {
             DEBUG(1, ("Group with no name?\n"));
-- 
1.7.6.2

Comment 3 Jakub Hrozek 2011-10-20 14:31:35 UTC

This was fixed upstream in https://fedorahosted.org/sssd/ticket/1018 and will be fixed in 1.5.14/1.6.2