+++ This bug was initially created as a clone of Bug #678091 +++ Description of problem: SSSD shipped in 6.0 with the expectation that HBAC rules would be stored in the cn=account subtree of FreeIPAv2. However, the final version of the schema stores them in cn=hbac instead. So right now, there are no rules accepted (which means denial of all) Version-Release number of selected component (if applicable): sssd-1.2.1-39.el5 How reproducible: Every time Steps to Reproduce: 1. Set up a FreeIPA v2 server with one or more HBAC rules 2. Point an SSSD client at this server, with access_provider=ipa Actual results: User is always denied Expected results: Denial/permission should be based on the access control rules Additional info:
verified using ipa-server-2.0.0-23.el6.x86_64 ipa-client-2.0-14.el5 steps: # ipa hbacrule-add Rule name: denyssh Rule type: deny ------------------------- Added HBAC rule "denyssh" ------------------------- Rule name: denyssh Rule type: deny Enabled: TRUE # ipa hbacrule-add-host Rule name: denyssh [host]: ipaqa64vma.testrelm [hostgroup]: Rule name: denyssh Rule type: deny Enabled: TRUE Hosts: ipaqa64vma.testrelm ------------------------- Number of members added 1 ------------------------- # ipa hbacrule-add-user Rule name: denyssh [user]: one [group]: Rule name: denyssh Rule type: deny Enabled: TRUE Users: one Hosts: ipaqa64vma.testrelm ------------------------- Number of members added 1 ------------------------- # ipa hbacrule-add-service Rule name: denyssh [hbacsvc]: sshd [hbacsvcgroup]: Rule name: denyssh Rule type: deny Enabled: TRUE Users: one Hosts: ipaqa64vma.testrelm Services: sshd ------------------------- Number of members added 1 ------------------------- Followed the same steps to add a rule allowssh: # ipa hbacrule-show --all Rule name: allowssh dn: ipauniqueid=0e6974f8-7d89-11e0-a2d2-021016980183,cn=hbac,dc=testrelm Rule name: allowssh Rule type: allow Source host category: all Enabled: TRUE Users: two Hosts: ipaqa64vma.testrelm Services: sshd ipauniqueid: 0e6974f8-7d89-11e0-a2d2-021016980183 memberindirect: fqdn=ipaqa64vma.testrelm,cn=computers,cn=accounts,dc=testrelm, uid=two,cn=users,cn=accounts,dc=testrelm objectclass: ipaassociation, ipahbacrule #ipa hbacrule-mod --srchostcat=all allowssh # ipa hbacrule-disable allow_all ------------------------------ Disabled HBAC rule "allow_all" ------------------------------ ssh one one's password: Connection closed by 10.16.98.182 and user two could ssh successfully.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-0975.html