Bug 2227133 - 'ipa hbactest' shows result as 'False' for overidden trusted AD account despite of correct HBAC rule in place.
Summary: 'ipa hbactest' shows result as 'False' for overidden trusted AD account despi...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.9
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-07-28 05:46 UTC by Akshay Sakure
Modified: 2023-08-01 07:38 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-10198 0 None None None 2023-07-28 05:47:40 UTC
Red Hat Issue Tracker RHELPLAN-163730 0 None None None 2023-07-28 05:47:45 UTC

Description Akshay Sakure 2023-07-28 05:46:47 UTC 
Description of problem:
'ipa hbactest' shows result as 'False' for overidden trusted AD account despite of correct HBAC rule in place.


Version-Release number of selected component (if applicable):
RHEL 7.9


How reproducible:
Always


Steps to Reproduce:
1. Setup IPA-AD trust

2. Configure HBAC rule in IPA for trusted AD user (by assigning it to IPA POSIX group)

3. For trusted AD account, override primary group name & gidNumber. 

4. On IPA client, run 'ipa hbactest' command to check access & it shows 
---
Access granted: False  <----
---

5. However, 'sssctl user-checks' shows success for the same trusted AD account.
---
testing pam_acct_mgmt
pam_acct_mgmt: Success  <----
---

   (Note that actual access to IPA client for trusted AD user still works fine based on the HBAC rule in place)


Actual results:

'ipa hbactest' command shows incorrect result:
---
Access granted: False
---


Expected results:

Ideally, 'ipa hbactest' command should show:
---
Access granted: True
---
Note You need to log in before you can comment on or make changes to this bug.