Bug 1673005 - Applying hbac rules according to guide doesn't return expected results
Summary: Applying hbac rules according to guide doesn't return expected results
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora Documentation
Classification: Fedora
Component: freeipa-guide
Version: devel
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Petr Bokoc
QA Contact: Fedora Docs QA
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-06 12:58 UTC by Michal Polovka
Modified: 2019-02-06 16:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-06 16:11:37 UTC
Embargoed:

Attachments (Terms of Use)

Description Michal Polovka 2019-02-06 12:58:17 UTC 
Description of problem:

I followed freeipa-guide closely up to unit 4 - hbac rules. 
After I created "sysadmin_webservers" using provided instructions (copy-pasted to be sure) I wanted to test, whether it works. 
However, despite Alice being in "sysadmin" group and all rules are set according to the guide, access to client servers for alice is denied (see Additional info)


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.Follow the freeIPA-guide till Unit 4
2.Disable  allow_all hbac rule
3. Follow the steps in Unit 4

Actual results:

[server]$ ipa hbactest --host client.ipademo.local --service sshd --user alice
---------------------
Access granted: False
---------------------
  Not matched rules: sysadmin_webservers

[server]$ kinit alice
Password for alice:
[server]$ ssh alice.local
Connection closed by UNKNOWN port 65535

Expected results:

[server]$ ipa hbactest --host client.ipademo.local --service sshd --user alice
---------------------
Access granted: True
---------------------

[server]$ kinit alice
Password for alice:
[server]$ ssh alice.local
Creating home directory for alice.
[alice@client]$

Additional info:

[server]$ ipa user-show alice
  User login: alice
  First name: Alice
  Last name: von der Wunderland
  Home directory: /home/alice
  Login shell: /bin/sh
  Principal name: alice
  Principal alias: alice
  Email address: alice
  UID: 55400001
  GID: 55400001
  Job Title: Recreationist
  Class: Superior
  Account disabled: False
  Password: True
  Member of groups: sysadmin, ipausers
  Indirect Member of HBAC rule: sysadmin_webservers
  Kerberos keys available: True

[server]$ ipa hbacrule-find
-------------------
1 HBAC rule matched
-------------------
  Rule name: sysadmin_webservers
  Service category: all
  Enabled: TRUE
----------------------------
Number of entries returned 1
----------------------------

[server]$ ipa hbacrule-show sysadmin_webservers
  Rule name: sysadmin_webservers
  Service category: all
  Enabled: TRUE
  User Groups: sysadmin
  Host Groups: webservers
Comment 1 Michal Polovka 2019-02-06 13:27:32 UTC 
IPA version:
[server]$ ipa --version
VERSION: 4.6.90.pre2, API_VERSION: 2.229
Comment 2 Petr Bokoc 2019-02-06 14:14:40 UTC 
Hi, which FreeIPA guide are you looking at? We haven't been maintaining one in Fedora for years, the latest published version I can see is from F18, released in 2013.
Comment 3 Michal Polovka 2019-02-06 15:20:49 UTC 
Hello, I cloned this repository and used master branch https://github.com/freeipa/freeipa-workshop
Comment 4 Petr Bokoc 2019-02-06 16:11:37 UTC 
Right. In that case please report this as an issue against the upstream repo: https://github.com/freeipa/freeipa-workshop/issues - this BZ component is for the old FreeIPA Guide that was maintained and published by Fedora Project, and as I said, it hasn't been touched in ages and is considered deprecated. It's unlikely that anyone who actively maintains the upstream guide will see this.
Note You need to log in before you can comment on or make changes to this bug.