Bug 963767

I just went through the man page once again and found out that --all is a mandatory parameter, so what was reported is not really valid.
Also, I still thought that deny only configures deny in sssd.conf, but I just realized that it can now be used also in the same way as permit --wirhdraw, what is great.
However, this should be also is man page. It should look like something like:

       realm permit [-ax] [-R realm] {user...}

       realm deny [-a] [-R realm] {user...}

realm --help and the error messages should be updated accordingly.

[root@pkis ~]# realm --help
 realm discover -v [realm-name]
   Discover available realm

 realm join -v [-U user] realm-name
   Enroll this machine in a realm

 realm leave -v [-U user] [realm-name]
   Unenroll this machine from a realm

 realm list
   List known realms

 realm permit [-ax] [-R realm] user ...
   Permit user logins

 realm deny --all [-R realm]
   Deny user logins

[root@pkis ~]# realm -v deny 
realm: Use --all to deny all logins

(In reply to Patrik Kis from comment #0)
> The command "realm deny --realm ad.baseos.qe" should simply work according
> the man page.

As you note below, confirming that '--all' argument is required. 

realmd does not have the ability to deny specific users while allowing all others. Domain HBAC should be used for this fine grained access control.

> It is not exactly clear at the first glance what does it exactly means.
> After playing a bit with permit/deny I realized that this means that all
> remote/realmd users all allowed to log in without extra permissions. I think
> we could be more descriptive here just by adding the word "all" there. Like:
>   login-policy: allow-all-logins
> or maybe this is more exact
>   login-policy: allow-all-realm-logins

That's because it's not necessarily 'all' logins. In this case we're respecting the realm's login policy. In this case it's HBAC of who can log into which machine.

> Sorry, I know this is probably the least important thing, but if you will
> once wander in the code somewhere around maybe it is worth to consider to
> change this. I believe it will be more descriptive.

Thank you for pointing it out. Unfortunately in this case it is not more descriptive of what's actually going on.

Do you have specific changes which could be made to documentation or manual pages that would help explain the concept better?

(In reply to Patrik Kis from comment #1)
> I just went through the man page once again and found out that --all is a
> mandatory parameter, so what was reported is not really valid.
> Also, I still thought that deny only configures deny in sssd.conf, but I
> just realized that it can now be used also in the same way as permit
> --wirhdraw, what is great.
> However, this should be also is man page. It should look like something like:

This is only the case for backwards compatibility and old scripts. It should not be used by new users.

realmd does not actually have the ability to deny specific users the ability to log in, while allowing all others access. It was incorrect to include "remove this user from the permit list" under the 'deny' command, and this has been rectified in recent realmd releases. 

All while at the same time preserving the old behavior and printing a warning alerting to the change.

So closing this as NOTABUG, but please reopen if I've missed something or misunderstood.