Description of problem: 'ipa hbactest' fails (shows 'False') for trusted AD users if nested groups are used in HBAC rules (but actual login access works) Version-Release number of selected component (if applicable): ipa-admintools-4.4.0-14.el7_3.7.noarch.rpm ipa-server-4.6.8-5.el7_9.11.x86_64.rpm How reproducible: Always Steps to Reproduce: AD delegation groups -----> AD role groups -----> AD users \ \---------------> other AD delegation group (HBAC rule applied on AD delegation group work but hbactest fails) Actual results: HBAC test fails but actual authentication/access works based on HBAC rule. Expected results: HBAC rule should pass and show results as "True". Additional info:
Can you provide more details? Are the groups defined on AD side or on IdM side? If they are on AD side, did the customer define an external group on IdM side containing the AD group AND a posix group on IdM side containing the external group? Please share the output of ipa group-show for the relevant groups. Is the trust a POSIX trust or non-POSIX trust (ie with SID mapping)?
So far I wasn't able to reproduce the issue. Example with - a user defined in AD: aduser - in AD, the user is a member of the group adrolegroup - in AD, the group is a member of the group addelegationgroup On IdM side: - trust created with AD as a non-posix trust - external group addelegationgroup_ext that contains addelegationgroup: ipa group-add --external addelegationgroup_ext ipa group-add-member addelegationgroup_ext --external addelegationgroup - posix group addelegationgroup_posix that contains the external group addelegationgroup_ext ipa group-add addelegationgroup_posix ipa group-add-member addelegationgroup_posix --groups addelegationgroup_ext - HBAC rule applying to the posix group, allwing access to the host master.testrelm.test: ipa hbacrule-add access_to_master --servicecat=all ipa hbacrule-add-host access_to_master --hosts master.testrelm.test ipa hbacrule-add-user --groups addelegationgroup_posix access_to_master - Testing of the HBAC rule: ipa hbactest --user aduser --host master.testrelm.test --service ssh -------------------- Access granted: True -------------------- Matched rules: access_to_master Not matched rules: allow_systemd-user Packages: ipa-server-4.6.8-5.el7_9.11.x86_64 sssd-client-1.16.5-10.el7_9.13.x86_64
Please also note that if the format AD.TEST\aduser is used in the command, you need to escape the \ (either with another \ or by using quotes): [root@master ~]# ipa hbactest --user AD.TEST\aduser --host master.testrelm.test --service ssh --------------------- Access granted: False --------------------- Not matched rules: access_to_master Not matched rules: allow_systemd-user [root@master ~]# ipa hbactest --user AD.TEST\\aduser --host master.testrelm.test --service ssh -------------------- Access granted: True -------------------- Matched rules: access_to_master Not matched rules: allow_systemd-user [root@master ~]# ipa hbactest --user 'AD.TEST\aduser' --host master.testrelm.test --service ssh -------------------- Access granted: True -------------------- Matched rules: access_to_master Not matched rules: allow_systemd-user
The customer is using a wrong format when providing the AD users: ipa hbactest --user=odin.prod//b10052674 --host=srv01200.linux.odin.prod --service=sshd The right formats are either b10052674 or odin.prod\\b10052674 (with anti-slash, not slash). Please retry with the right format and update the case with fresh sos reports if the failure still happens.