Bug 798317

Summary: sssd crashes when ipa_hbac_support_srchost is set to true.
Product: Red Hat Enterprise Linux 6 Reporter: Gowrishankar Rajaiyan <grajaiya>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: grajaiya, jgalipea, prc
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.8.0-12.el6 Doc Type: Bug Fix
Doc Text:
No technical note required
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 11:55:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
sssd_lab.eng.pnq.redhat.com.log none

Description Gowrishankar Rajaiyan 2012-02-28 15:57:15 UTC 
Description of problem:
No crash detected when it is set to false which is the default and authentication is successful as expected ([ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [rule1]) since srchost is set to ALL ([hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL). However, if you set this value to true, authentication hangs and sssd crash detected. 

Version-Release number of selected component (if applicable):
sssd-1.8.0-4.el6.beta3.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Configure ipa hbac rule as:
[root@rodimus ~]# ipa hbacrule-find
--------------------
2 HBAC rules matched
--------------------
  Rule name: allow_all
  User category: all
  Host category: all
  Source host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: FALSE

  Rule name: rule1
  Enabled: TRUE
  Users: shanks
  Hosts: primenova.lab.eng.pnq.redhat.com
  Source Hosts: bumblebee.lab.eng.pnq.redhat.com
  Services: sshd
----------------------------
Number of entries returned 2
----------------------------
[root@rodimus ~]# 


2. # hostname 
primenova.lab.eng.pnq.redhat.com

3. Configure sssd.conf as:
[root@primenova ~]# egrep -v ^# /etc/sssd/sssd.conf 
[domain/lab.eng.pnq.redhat.com]
debug_level = 9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = lab.eng.pnq.redhat.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, rodimus.lab.eng.pnq.redhat.com
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hbac_support_srchost = True
[sssd]
config_file_version = 2
services = nss, pam

domains = lab.eng.pnq.redhat.com
[nss]

[pam]


[root@primenova ~]# 

4. [root@primenova ~]# ssh -l shanks $HOSTNAME
shanks.eng.pnq.redhat.com's password: 
<hangs>

  
Actual results:
Feb 28 17:59:27 primenova kernel: sssd_be[17620]: segfault at 0 ip 0000003cab804510 sp 00007fff4513a5c8 error 6 in libtevent.so.0.9.8[3cab800000+9000]
Feb 28 17:59:28 primenova abrt[17631]: Saved core dump of pid 17620 (/usr/libexec/sssd/sssd_be) to /var/spool/abrt/ccpp-2012-02-28-17:59:27-17620 (22183936 bytes)

Expected results: No crash detected.

Additional info:
# gdb --core=/var/spool/abrt/ccpp-2012-02-28-17\:59\:27-17620/coredump /usr/libexec/sssd/sssd_be --quiet -ex "thread apply all bt full" -ex "quit"
Reading symbols from /usr/libexec/sssd/sssd_be...Reading symbols from /usr/lib/debug/usr/libexec/sssd/sssd_be.debug...done.
done.
[New Thread 17620]
Missing separate debuginfo for 
Try: yum --disablerepo='*' --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/15/aeeb89cdee58e81ee8e0ccc5f7c79dac280dcf
Reading symbols from /lib64/libpam.so.0.82.2...Reading symbols from /usr/lib/debug/lib64/libpam.so.0.82.2.debug...done.
done.
Loaded symbols for /lib64/libpam.so.0.82.2
Reading symbols from /usr/lib64/libcares.so.2.0.0...Reading symbols from /usr/lib/debug/usr/lib64/libcares.so.2.0.0.debug...done.
done.
Loaded symbols for /usr/lib64/libcares.so.2.0.0
Reading symbols from /usr/lib64/libtevent.so.0.9.8...Reading symbols from /usr/lib/debug/usr/lib64/libtevent.so.0.9.8.debug...done.
done.
Loaded symbols for /usr/lib64/libtevent.so.0.9.8
Reading symbols from /usr/lib64/libtalloc.so.2.0.1...Reading symbols from /usr/lib/debug/usr/lib64/libtalloc.so.2.0.1.debug...done.
done.
Loaded symbols for /usr/lib64/libtalloc.so.2.0.1
Reading symbols from /lib64/libpopt.so.0.0.0...Reading symbols from /usr/lib/debug/lib64/libpopt.so.0.0.0.debug...done.
done.
Loaded symbols for /lib64/libpopt.so.0.0.0
Reading symbols from /usr/lib64/libldb.so.0.9.10...Reading symbols from /usr/lib/debug/usr/lib64/libldb.so.0.9.10.debug...done.
done.
Loaded symbols for /usr/lib64/libldb.so.0.9.10
Reading symbols from /lib64/libdbus-1.so.3.4.0...Reading symbols from /usr/lib/debug/lib64/libdbus-1.so.3.4.0.debug...done.
done.
Loaded symbols for /lib64/libdbus-1.so.3.4.0
Reading symbols from /lib64/librt-2.12.so...Reading symbols from /usr/lib/debug/lib64/librt-2.12.so.debug...done.
done.
Loaded symbols for /lib64/librt-2.12.so
Reading symbols from /lib64/libpcre.so.0.0.1...Reading symbols from /usr/lib/debug/lib64/libpcre.so.0.0.1.debug...done.
done.
Loaded symbols for /lib64/libpcre.so.0.0.1
Reading symbols from /usr/lib64/libini_config.so.2.0.0...Reading symbols from /usr/lib/debug/usr/lib64/libini_config.so.2.0.0.debug...done.
done.
Loaded symbols for /usr/lib64/libini_config.so.2.0.0
Reading symbols from /usr/lib64/libcollection.so.2.0.0...Reading symbols from /usr/lib/debug/usr/lib64/libcollection.so.2.0.0.debug...done.
done.
Loaded symbols for /usr/lib64/libcollection.so.2.0.0
Reading symbols from /usr/lib64/libdhash.so.1.0.1...Reading symbols from /usr/lib/debug/usr/lib64/libdhash.so.1.0.1.debug...done.
done.
Loaded symbols for /usr/lib64/libdhash.so.1.0.1
Reading symbols from /lib64/liblber-2.4.so.2.5.6...Reading symbols from /usr/lib/debug/lib64/liblber-2.4.so.2.5.6.debug...done.
done.
Loaded symbols for /lib64/liblber-2.4.so.2.5.6
Reading symbols from /lib64/libldap-2.4.so.2.5.6...Reading symbols from /usr/lib/debug/lib64/libldap-2.4.so.2.5.6.debug...done.
done.
Loaded symbols for /lib64/libldap-2.4.so.2.5.6
Reading symbols from /usr/lib64/libtdb.so.1.2.1...Reading symbols from /usr/lib/debug/usr/lib64/libtdb.so.1.2.1.debug...done.
done.
Loaded symbols for /usr/lib64/libtdb.so.1.2.1
Reading symbols from /usr/lib64/libunistring.so.0.1.2...Reading symbols from /usr/lib/debug/usr/lib64/libunistring.so.0.1.2.debug...done.
done.
Loaded symbols for /usr/lib64/libunistring.so.0.1.2
Reading symbols from /usr/lib64/libssl3.so...Reading symbols from /usr/lib/debug/usr/lib64/libssl3.so.debug...done.
done.
Loaded symbols for /usr/lib64/libssl3.so
Reading symbols from /usr/lib64/libsmime3.so...Reading symbols from /usr/lib/debug/usr/lib64/libsmime3.so.debug...done.
done.
Loaded symbols for /usr/lib64/libsmime3.so
Reading symbols from /usr/lib64/libnss3.so...Reading symbols from /usr/lib/debug/usr/lib64/libnss3.so.debug...done.
done.
Loaded symbols for /usr/lib64/libnss3.so
Reading symbols from /usr/lib64/libnssutil3.so...Reading symbols from /usr/lib/debug/usr/lib64/libnssutil3.so.debug...done.
done.
Loaded symbols for /usr/lib64/libnssutil3.so
Reading symbols from /lib64/libplds4.so...Reading symbols from /usr/lib/debug/lib64/libplds4.so.debug...done.
done.
Loaded symbols for /lib64/libplds4.so
Reading symbols from /lib64/libplc4.so...Reading symbols from /usr/lib/debug/lib64/libplc4.so.debug...done.
done.
Loaded symbols for /lib64/libplc4.so
Reading symbols from /lib64/libnspr4.so...Reading symbols from /usr/lib/debug/lib64/libnspr4.so.debug...done.
done.
Loaded symbols for /lib64/libnspr4.so
Reading symbols from /lib64/libpthread-2.12.so...Reading symbols from /usr/lib/debug/lib64/libpthread-2.12.so.debug...done.
[Thread debugging using libthread_db enabled]
done.
Loaded symbols for /lib64/libpthread-2.12.so
Reading symbols from /lib64/libdl-2.12.so...Reading symbols from /usr/lib/debug/lib64/libdl-2.12.so.debug...done.
done.
Loaded symbols for /lib64/libdl-2.12.so
Reading symbols from /lib64/libc-2.12.so...Reading symbols from /usr/lib/debug/lib64/libc-2.12.so.debug...done.
done.
Loaded symbols for /lib64/libc-2.12.so
Reading symbols from /lib64/libaudit.so.1.0.0...Reading symbols from /usr/lib/debug/lib64/libaudit.so.1.0.0.debug...done.
done.
Loaded symbols for /lib64/libaudit.so.1.0.0
Reading symbols from /lib64/libcrypt-2.12.so...Reading symbols from /usr/lib/debug/lib64/libcrypt-2.12.so.debug...done.
done.
Loaded symbols for /lib64/libcrypt-2.12.so
Reading symbols from /lib64/ld-2.12.so...Reading symbols from /usr/lib/debug/lib64/ld-2.12.so.debug...done.
done.
Loaded symbols for /lib64/ld-2.12.so
Reading symbols from /usr/lib64/libpath_utils.so.1...
warning: the debug information found in "/usr/lib/debug//usr/lib64/libpath_utils.so.1.0.0.debug" does not match "/usr/lib64/libpath_utils.so.1" (CRC mismatch).


warning: the debug information found in "/usr/lib/debug/usr/lib64/libpath_utils.so.1.0.0.debug" does not match "/usr/lib64/libpath_utils.so.1" (CRC mismatch).

(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libpath_utils.so.1
Reading symbols from /usr/lib64/libref_array.so.1.0.0...Reading symbols from /usr/lib/debug/usr/lib64/libref_array.so.1.0.0.debug...done.
done.
Loaded symbols for /usr/lib64/libref_array.so.1.0.0
Reading symbols from /lib64/libresolv-2.12.so...Reading symbols from /usr/lib/debug/lib64/libresolv-2.12.so.debug...done.
done.
Loaded symbols for /lib64/libresolv-2.12.so
Reading symbols from /usr/lib64/libsasl2.so.2.0.23...Reading symbols from /usr/lib/debug/usr/lib64/libsasl2.so.2.0.23.debug...done.
done.
Loaded symbols for /usr/lib64/libsasl2.so.2.0.23
Reading symbols from /lib64/libz.so.1.2.3...Reading symbols from /usr/lib/debug/lib64/libz.so.1.2.3.debug...done.
done.
Loaded symbols for /lib64/libz.so.1.2.3
Reading symbols from /lib64/libfreebl3.so...Reading symbols from /usr/lib/debug/lib64/libfreebl3.so.debug...done.
done.
Loaded symbols for /lib64/libfreebl3.so
Reading symbols from /usr/lib64/ldb/memberof.so...Reading symbols from /usr/lib/debug/usr/lib64/ldb/memberof.so.debug...done.
done.
Loaded symbols for /usr/lib64/ldb/memberof.so
Reading symbols from /usr/lib64/sssd/libsss_ipa.so...Reading symbols from /usr/lib/debug/usr/lib64/sssd/libsss_ipa.so.debug...done.
done.
Loaded symbols for /usr/lib64/sssd/libsss_ipa.so
Reading symbols from /lib64/libkeyutils.so.1.3...Reading symbols from /usr/lib/debug/lib64/libkeyutils.so.1.3.debug...done.
done.
Loaded symbols for /lib64/libkeyutils.so.1.3
Reading symbols from /lib64/libkrb5.so.3.3...Reading symbols from /usr/lib/debug/lib64/libkrb5.so.3.3.debug...done.
done.
Loaded symbols for /lib64/libkrb5.so.3.3
Reading symbols from /lib64/libk5crypto.so.3.1...Reading symbols from /usr/lib/debug/lib64/libk5crypto.so.3.1.debug...done.
done.
Loaded symbols for /lib64/libk5crypto.so.3.1
Reading symbols from /lib64/libcom_err.so.2.1...Reading symbols from /usr/lib/debug/lib64/libcom_err.so.2.1.debug...done.
done.
Loaded symbols for /lib64/libcom_err.so.2.1
Reading symbols from /usr/lib64/libipa_hbac.so.0.0.0...Reading symbols from /usr/lib/debug/usr/lib64/libipa_hbac.so.0.0.0.debug...done.
done.
Loaded symbols for /usr/lib64/libipa_hbac.so.0.0.0
Reading symbols from /lib64/libkrb5support.so.0.1...Reading symbols from /usr/lib/debug/lib64/libkrb5support.so.0.1.debug...done.
done.
Loaded symbols for /lib64/libkrb5support.so.0.1
Reading symbols from /lib64/libselinux.so.1...Reading symbols from /usr/lib/debug/lib64/libselinux.so.1.debug...done.
done.
Loaded symbols for /lib64/libselinux.so.1
Reading symbols from /lib64/libnss_files-2.12.so...Reading symbols from /usr/lib/debug/lib64/libnss_files-2.12.so.debug...done.
done.
Loaded symbols for /lib64/libnss_files-2.12.so
Reading symbols from /lib64/libnss_sss.so.2...Reading symbols from /usr/lib/debug/lib64/libnss_sss.so.2.debug...done.
done.
Loaded symbols for /lib64/libnss_sss.so.2
Reading symbols from /usr/lib64/sasl2/libdigestmd5.so.2.0.23...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libdigestmd5.so.2.0.23.debug...done.
done.
Loaded symbols for /usr/lib64/sasl2/libdigestmd5.so.2.0.23
Reading symbols from /usr/lib64/libcrypto.so.1.0.0...Reading symbols from /usr/lib/debug/usr/lib64/libcrypto.so.1.0.0.debug...done.
done.
Loaded symbols for /usr/lib64/libcrypto.so.1.0.0
Reading symbols from /usr/lib64/sasl2/libcrammd5.so.2.0.23...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libcrammd5.so.2.0.23.debug...done.
done.
Loaded symbols for /usr/lib64/sasl2/libcrammd5.so.2.0.23
Reading symbols from /usr/lib64/sasl2/libplain.so.2.0.23...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libplain.so.2.0.23.debug...done.
done.
Loaded symbols for /usr/lib64/sasl2/libplain.so.2.0.23
Reading symbols from /usr/lib64/sasl2/liblogin.so.2.0.23...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/liblogin.so.2.0.23.debug...done.
done.
Loaded symbols for /usr/lib64/sasl2/liblogin.so.2.0.23
Reading symbols from /usr/lib64/sasl2/libanonymous.so.2.0.23...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libanonymous.so.2.0.23.debug...done.
done.
Loaded symbols for /usr/lib64/sasl2/libanonymous.so.2.0.23
Reading symbols from /usr/lib64/sasl2/libgssapiv2.so.2.0.23...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libgssapiv2.so.2.0.23.debug...done.
done.
Loaded symbols for /usr/lib64/sasl2/libgssapiv2.so.2.0.23
Reading symbols from /lib64/libgssapi_krb5.so.2.2...Reading symbols from /usr/lib/debug/lib64/libgssapi_krb5.so.2.2.debug...done.
done.
Loaded symbols for /lib64/libgssapi_krb5.so.2.2
Reading symbols from /usr/lib64/sasl2/libsasldb.so.2.0.23...Reading symbols from /usr/lib/debug/usr/lib64/sasl2/libsasldb.so.2.0.23.debug...done.
done.
Loaded symbols for /usr/lib64/sasl2/libsasldb.so.2.0.23
Reading symbols from /lib64/libdb-4.7.so...Reading symbols from /usr/lib/debug/lib64/libdb-4.7.so.debug...done.
done.
Loaded symbols for /lib64/libdb-4.7.so
Reading symbols from /lib64/libnss_dns-2.12.so...Reading symbols from /usr/lib/debug/lib64/libnss_dns-2.12.so.debug...done.
done.
Loaded symbols for /lib64/libnss_dns-2.12.so
Reading symbols from /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so...Reading symbols from /usr/lib/debug/usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so.debug...done.
done.
Loaded symbols for /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
Core was generated by `/usr/libexec/sssd/sssd_be --domain lab.eng.pnq.redhat.com --debug-to-files'.
Program terminated with signal 11, Segmentation fault.
#0  tevent_req_set_callback (req=0x0, fn=0x7f1b092ed440 <ipa_hostgroup_info_done>, pvt=0x169f9f0) at tevent_req.c:372
372		req->async.fn = fn;

Thread 1 (Thread 0x7f1b0f6dc700 (LWP 17620)):
#0  tevent_req_set_callback (req=0x0, fn=0x7f1b092ed440 <ipa_hostgroup_info_done>, pvt=0x169f9f0) at tevent_req.c:372
No locals.
#1  0x00007f1b092ecec2 in ipa_host_info_done (subreq=<value optimized out>) at src/providers/ipa/ipa_hosts.c:284
        ret = <value optimized out>
        req = 0x169f9f0
        state = 0x1680430
        host_dn = 0x7f1b093cdf48 "src/providers/ldap/sdap_async.c:1407"
        __FUNCTION__ = "ipa_host_info_done"
#2  0x00007f1b093130ae in sdap_get_generic_done (subreq=0x0) at src/providers/ldap/sdap_async.c:1415
        req = 0x1682250
        ret = <value optimized out>
        __FUNCTION__ = "sdap_get_generic_done"
#3  0x00007f1b093168d4 in sdap_get_generic_ext_done (op=<value optimized out>, reply=<value optimized out>, error=<value optimized out>, pvt=<value optimized out>)
    at src/providers/ldap/sdap_async.c:1307
        req = 0x167f260
        state = 0x16a0a60
        errmsg = 0x0
        result = 0
        ret = <value optimized out>
        lret = <value optimized out>
        total_count = 0
        cookie = {bv_len = 0, bv_val = 0x16823b0 ""}
        returned_controls = 0x167f6b0
        page_control = <value optimized out>
        __FUNCTION__ = "sdap_get_generic_ext_done"
#4  0x00007f1b0931b1f2 in sdap_process_message (ev=<value optimized out>, pvt=<value optimized out>) at src/providers/ldap/sdap_async.c:364
        msgtype = <value optimized out>
        ret = 0
        reply = 0x167f970
        op = 0x16a0d10
        msgid = <value optimized out>
#5  sdap_process_result (ev=<value optimized out>, pvt=<value optimized out>) at src/providers/ldap/sdap_async.c:207
        sh = <value optimized out>
        no_timeout = {tv_sec = 0, tv_usec = 0}
        te = <value optimized out>
        msg = 0x1675470
        ret = <value optimized out>
        __FUNCTION__ = "sdap_process_result"
#6  0x0000003cab8034e5 in tevent_common_loop_timer_delay (ev=0x163c4b0) at tevent_timed.c:254
        current_time = {tv_sec = 0, tv_usec = 0}
        te = 0x1691580
#7  0x0000003cab80531b in std_event_loop_once (ev=<value optimized out>, location=<value optimized out>) at tevent_standard.c:537
        std_ev = 0x163c570
Missing separate debuginfos, use: debuginfo-install libpath_utils-0.2.1-8.el6.x86_64
---Type <return> to continue, or q <return> to quit---
        tval = {tv_sec = 0, tv_usec = 0}
#8  0x0000003cab8026d0 in _tevent_loop_once (ev=0x163c4b0, location=0x467063 "src/util/server.c:572") at tevent.c:490
        ret = <value optimized out>
        nesting_stack_ptr = 0x0
#9  0x0000003cab80273b in tevent_common_loop_wait (ev=0x163c4b0, location=0x467063 "src/util/server.c:572") at tevent.c:591
        ret = <value optimized out>
#10 0x00000000004402a3 in server_loop (main_ctx=0x163d620) at src/util/server.c:572
No locals.
#11 0x0000000000415366 in main (argc=<value optimized out>, argv=<value optimized out>) at src/providers/data_provider_be.c:2003
        opt = <value optimized out>
        pc = <value optimized out>
        be_domain = 0x163b400 "lab.eng.pnq.redhat.com"
        srv_name = <value optimized out>
        main_ctx = 0x163d620
        confdb_path = <value optimized out>
        ret = <value optimized out>
        long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x671d60, val = 0, descrip = 0x45e87c "Help options:", argDescrip = 0x0}, {
            longName = 0x45e88a "debug-level", shortName = 100 'd', argInfo = 2, arg = 0x671e40, val = 0, descrip = 0x45e85b "Debug level", argDescrip = 0x0}, {
            longName = 0x45e896 "debug-to-files", shortName = 102 'f', argInfo = 0, arg = 0x671e44, val = 0, 
            descrip = 0x45f838 "Send the debug output to files instead of stderr", argDescrip = 0x0}, {longName = 0x45e8a5 "debug-timestamps", 
            shortName = 0 '\000', argInfo = 2, arg = 0x671bb8, val = 0, descrip = 0x45e867 "Add debug timestamps", argDescrip = 0x0}, {
            longName = 0x45e8b6 "debug-microseconds", shortName = 0 '\000', argInfo = 2, arg = 0x671bbc, val = 0, 
            descrip = 0x45f870 "Show timestamps with microseconds", argDescrip = 0x0}, {longName = 0x4602c4 "domain", shortName = 0 '\000', argInfo = 1, 
            arg = 0x7fff4513aaf8, val = 0, descrip = 0x45f898 "Domain of the information provider (mandatory)", argDescrip = 0x0}, {longName = 0x0, 
            shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0}}
        __FUNCTION__ = "main"
Comment 1 Gowrishankar Rajaiyan 2012-02-28 15:59:09 UTC 
Created attachment 566329 [details]
sssd_lab.eng.pnq.redhat.com.log
Comment 3 Jakub Hrozek 2012-02-28 16:41:22 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1215
Comment 6 Stephen Gallagher 2012-04-10 16:50:37 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No technical note required
Comment 7 Gowrishankar Rajaiyan 2012-05-29 17:03:36 UTC 
verified as part of ipa automation::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-hbacsvc-client-bug766876_2: ipa_hbac_support_srchost is set to true - Case 2
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Kinit as admin user
:: [   PASS   ] :: Running 'cat /etc/sssd/sssd.conf'
:: [   PASS   ] :: Running 'cat /etc/sssd/sssd.conf'
:: [   PASS   ] :: Clearing cache
:: [   PASS   ] :: Running 'service sssd restart'
:: [   LOG    ] :: Verifies https://bugzilla.redhat.com/show_bug.cgi?id=798317
:: [   PASS   ] :: Authentication successful for user766876, as expected
:: [   PASS   ] :: Running 'ssh_auth_success user766876 testpw123 beast.testrelm.com'
:: [   PASS   ] :: Running 'sed -i 's/ipa_hbac_support_srchost = true/ipa_hbac_support_srchost = false/g' /etc/sssd/sssd.conf'
:: [   PASS   ] :: Running 'service sssd restart'
:: [   LOG    ] :: Duration: 28s
:: [   LOG    ] :: Assertions: 9 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-hbacsvc-client-bug766876_2: ipa_hbac_support_srchost is set to true - Case 2
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


Manual verification:

[root@primenova ~]# ipa hbacrule-add-service rule1
[member HBAC service]: sshd
[member HBAC service group]: 
  Rule name: rule1
  Enabled: TRUE
  Users: shanks
  Hosts: primenova.lab.eng.pnq.redhat.com
  Source Hosts: rodimus.lab.eng.pnq.redhat.com
  Services: sshd
-------------------------
Number of members added 1
-------------------------
[root@primenova ~]# 

[root@primenova ~]# egrep -v ^# /etc/sssd/sssd.conf 
[domain/lab.eng.pnq.redhat.com]
ipa_hbac_support_srchost = True
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = lab.eng.pnq.redhat.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = primenova.lab.eng.pnq.redhat.com
chpass_provider = ipa
ipa_server = primenova.lab.eng.pnq.redhat.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = lab.eng.pnq.redhat.com
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[root@primenova ~]# 


[root@primenova ~]# ssh -l shanks $HOSTNAME
shanks.eng.pnq.redhat.com's password: 
Connection closed by 10.65.201.100
[root@primenova ~]# 


Verified: sssd-1.8.0-31.el6.x86_64
Comment 9 errata-xmlrpc 2012-06-20 11:55:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0747.html