Bug 1479365 - hbactest does not work with trusted users
hbactest does not work with trusted users
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
ipa-qe
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-08 08:45 EDT by Sudhir Menon
Modified: 2017-08-16 06:06 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-16 06:06:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sudhir Menon 2017-08-08 08:45:48 EDT
Description of problem: hbactest does not work with trusted users

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-21.el7_4.1.x86_64
389-ds-base-1.3.6.1-17.el7_4.x86_64
pki-server-10.4.1-12.el7_4.noarch
selinux-policy-3.13.1-166.el7.noarch
sssd-1.15.2-50.el7_4.2.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install IPA Server and establish trust with AD

Actual results:
[root@master ~]# kdestroy -A
[root@master ~]# kinit admin
Password for admin@IDM01.TEST: 
[root@master ~]# ipa group-add --desc=0 bz848531_external --external
-------------------------------
Added group "bz848531_external"
-------------------------------
  Group name: bz848531_external
  Description: 0

[root@master ~]# ipa group-add --desc=0 bz848531
----------------------
Added group "bz848531"
----------------------
  Group name: bz848531
  Description: 0
  GID: 498800006

[root@master ~]# ipa group-add-member bz848531 --groups=bz848531_external
  Group name: bz848531
  Description: 0
  GID: 498800006
  Member groups: bz848531_external
-------------------------
Number of members added 1
-------------------------

[root@master ~]# ipa group-add-member bz848531_external --external='IPAAD2012R2\adgroup1' --users='' --groups=''
  Group name: bz848531_external
  Description: 0
  External member: S-1-5-21-547465014-1205121312-3291251547-1108
  Member of groups: bz848531
-------------------------
Number of members added 1
-------------------------

[root@master ~]# ipa hbacrule-add bz848531
--------------------------
Added HBAC rule "bz848531"
--------------------------
  Rule name: bz848531
  Enabled: TRUE

[root@master ~]# ipa hbacrule-add-host bz848531 --hosts='client.idm01.test'
  Rule name: bz848531
  Enabled: TRUE
  Hosts: client.idm01.test
-------------------------
Number of members added 1
-------------------------

[root@master ~]# ipa hbacrule-add-service bz848531 --hbacsvcs=sshd
  Rule name: bz848531
  Enabled: TRUE
  Hosts: client.idm01.test
  Services: sshd
-------------------------
Number of members added 1
-------------------------

[root@master ~]# ipa hbacrule-add-user bz848531 --groups=bz848531
  Rule name: bz848531
  Enabled: TRUE
  User Groups: bz848531
  Hosts: client.idm01.test
  Services: sshd
-------------------------
Number of members added 1
-------------------------

[root@master ~]# ipa hbactest --host='client.idm01.test' --service=sshd --user='IPAAD2012R2\aduser1'
--------------------
Access granted: True
--------------------
  Matched rules: allow_all
  Not matched rules: bz848531
------
Group name: bz848531_external
  Group name: bz848531_external
  Description: 0
  External member: adgroup1@ipaad2012r2.test
  Member of groups: bz848531
  Indirect Member of HBAC rule: bz848531

[root@master ~]# ipa group-show
Group name: bz848531
  Group name: bz848531
  Description: 0
  GID: 498800006
  Member groups: bz848531_external
  Member of HBAC rule: bz848531

[root@master ~]# ipa hbactest --host='client.idm01.test' --service=sshd --user='IPAAD2012R2\aduser1' > /tmp/test.txt

[root@master ~]# grep 'Matched rules' /tmp/test.txt 
  Matched rules: allow_all

1. When hbactest is run against the client for trusted ad user it doesn't match 
hbacrule 'bz848531 instead matches allow_all. 

2. The same works when default hbac rule allow_all is disabled

Expected results: Check https://bugzilla.redhat.com/show_bug.cgi?id=848531#c9

Additional info: Logging this as bug since this was working earlier
Comment 3 Petr Vobornik 2017-08-14 06:32:18 EDT
This looks almost the same as bug 1446176 from April 2017. It was later closed by Varun as "worksforme".

If it is the same test case and it sometimes works and sometimes doesn't then it makes sense to retry or try several times (to verify this assumption). 

And also please private beaker job.
Comment 4 Alexander Bokovoy 2017-08-14 06:39:54 EDT
In cases like this please always provide SSSD logs from the same IPA master that is used for the hbactest. SSSD should be configured to use at least debug_level 8.
Comment 5 Sudhir Menon 2017-08-16 06:06:48 EDT
Alexander/Petr,
This time it worked for me which means that rule was matched 
"Matched rules: bz848531"
Hence marking the bug as WORKSFORME.

[root@cypher quickinstall]# ipa group-add-member bz848531_external --external='PNE\adgroup1' --users='' --groups=''
  Group name: bz848531_external
  Description: 0
  External member: S-1-5-21-2202318585-426110948-4011710778-1559
  Member of groups: bz848531
-------------------------
Number of members added 1
-------------------------

[root@cypher quickinstall]# ipa hbacrule-add bz848531
--------------------------
Added HBAC rule "bz848531"
--------------------------
  Rule name: bz848531
  Enabled: TRUE

[root@cypher quickinstall]# ipa hbacrule-add-host bz848531 --hosts='client.testrelm.test' 
  Rule name: bz848531
  Enabled: TRUE
  Hosts: client.testrelm.test
-------------------------
Number of members added 1
-------------------------

[root@cypher quickinstall]# ipa hbacrule-add-service bz848531 --hbacsvcs=sshd
  Rule name: bz848531
  Enabled: TRUE
  Hosts: client.testrelm.test
  Services: sshd
-------------------------
Number of members added 1
-------------------------

[root@cypher quickinstall]# ipa hbacrule-add-user bz848531 --groups=bz848531
  Rule name: bz848531
  Enabled: TRUE
  User Groups: bz848531
  Hosts: client.testrelm.test
  Services: sshd
-------------------------
Number of members added 1
-------------------------

[root@cypher quickinstall]# ipa hbacrule-add-host bz848531 --hosts='client.testrelm.test' 
  Rule name: bz848531
  Enabled: TRUE
  Hosts: client.testrelm.test
-------------------------
Number of members added 1
-------------------------
[root@cypher quickinstall]# ipa hbacrule-add-service bz848531 --hbacsvcs=sshd
  Rule name: bz848531
  Enabled: TRUE
  Hosts: client.testrelm.test
  Services: sshd
-------------------------
Number of members added 1
-------------------------
[root@cypher quickinstall]# ipa hbacrule-add-user bz848531 --groups=bz848531
  Rule name: bz848531
  Enabled: TRUE
  User Groups: bz848531
  Hosts: client.testrelm.test
  Services: sshd
-------------------------
Number of members added 1
-------------------------
[root@cypher quickinstall]# ipa hbactest --host='client.testrelm.test' --service=sshd --user='PNE\aduser1' > /tmp/test.txt
[root@cypher quickinstall]# cat /tmp/test.txt 
--------------------
Access granted: True
--------------------
  Matched rules: allow_all
  Matched rules: bz848531

Note You need to log in before you can comment on or make changes to this bug.