Bug 963767
Summary: | realm deny does not works with --realm parameter | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Patrik Kis <pkis> |
Component: | realmd | Assignee: | Stef Walter <stefw> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | jhrozek, stefw, yelley |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-05-27 09:42:50 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Patrik Kis
2013-05-16 13:58:19 UTC
I just went through the man page once again and found out that --all is a mandatory parameter, so what was reported is not really valid. Also, I still thought that deny only configures deny in sssd.conf, but I just realized that it can now be used also in the same way as permit --wirhdraw, what is great. However, this should be also is man page. It should look like something like: realm permit [-ax] [-R realm] {user...} realm deny [-a] [-R realm] {user...} realm --help and the error messages should be updated accordingly. [root@pkis ~]# realm --help realm discover -v [realm-name] Discover available realm realm join -v [-U user] realm-name Enroll this machine in a realm realm leave -v [-U user] [realm-name] Unenroll this machine from a realm realm list List known realms realm permit [-ax] [-R realm] user ... Permit user logins realm deny --all [-R realm] Deny user logins [root@pkis ~]# realm -v deny realm: Use --all to deny all logins (In reply to Patrik Kis from comment #0) > The command "realm deny --realm ad.baseos.qe" should simply work according > the man page. As you note below, confirming that '--all' argument is required. realmd does not have the ability to deny specific users while allowing all others. Domain HBAC should be used for this fine grained access control. > It is not exactly clear at the first glance what does it exactly means. > After playing a bit with permit/deny I realized that this means that all > remote/realmd users all allowed to log in without extra permissions. I think > we could be more descriptive here just by adding the word "all" there. Like: > login-policy: allow-all-logins > or maybe this is more exact > login-policy: allow-all-realm-logins That's because it's not necessarily 'all' logins. In this case we're respecting the realm's login policy. In this case it's HBAC of who can log into which machine. > Sorry, I know this is probably the least important thing, but if you will > once wander in the code somewhere around maybe it is worth to consider to > change this. I believe it will be more descriptive. Thank you for pointing it out. Unfortunately in this case it is not more descriptive of what's actually going on. Do you have specific changes which could be made to documentation or manual pages that would help explain the concept better? (In reply to Patrik Kis from comment #1) > I just went through the man page once again and found out that --all is a > mandatory parameter, so what was reported is not really valid. > Also, I still thought that deny only configures deny in sssd.conf, but I > just realized that it can now be used also in the same way as permit > --wirhdraw, what is great. > However, this should be also is man page. It should look like something like: This is only the case for backwards compatibility and old scripts. It should not be used by new users. realmd does not actually have the ability to deny specific users the ability to log in, while allowing all others access. It was incorrect to include "remove this user from the permit list" under the 'deny' command, and this has been rectified in recent realmd releases. All while at the same time preserving the old behavior and printing a warning alerting to the change. So closing this as NOTABUG, but please reopen if I've missed something or misunderstood. |