RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 732996 - Access denied by HBAC rules while using the default ftp hbac service.
Summary: Access denied by HBAC rules while using the default ftp hbac service.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-24 12:18 UTC by Gowrishankar Rajaiyan
Modified: 2015-01-04 23:50 UTC (History)
3 users (show)

Fixed In Version: ipa-2.1.1-1.el6
Doc Type: Bug Fix
Doc Text:
Do not document
Clone Of:
Environment:
Last Closed: 2011-12-06 18:30:22 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 0 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Gowrishankar Rajaiyan 2011-08-24 12:18:49 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.1.0-1.20110823T0253zgit3a9f626.el6.x86_64

How reproducible:


Steps to Reproduce:
1. By default we have ftp as one of the services.
# ipa hbacsvc-show ftp --all 
  dn: cn=ftp,cn=hbacservices,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Service name: ftp
  Description: ftp
  ipauniqueid: 982c8bec-cd6d-11e0-b011-525400deab7b
  objectclass: ipahbacservice, ipaobject

2. However, using this service in a hbacrule fails since the service that we look for from the ipa-client is "service: vsftpd".
  
Actual results:

<snip>
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler] (4): Got request with the following data
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): command: PAM_AUTHENTICATE
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): domain: lab.eng.pnq.redhat.com
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): user: user1
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): service: vsftpd  <<<<<<<<<<<<
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): tty: ftp
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): ruser: user1
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): rhost: ironhide.lab.eng.pnq.redhat.com
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): authtok type: 1
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): authtok size: 10
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): newauthtok type: 0
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): newauthtok size: 0
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): priv: 0
(Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): cli_pid: 11265
</snip>

and 

[ipa_hbac_evaluate_rules] (3): Access denied by HBAC rules

Expected results:
like we have for ssh:
# ipa hbacsvc-show sshd --all 
  dn: cn=sshd,cn=hbacservices,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Service name: sshd
  Description: sshd
  ipauniqueid: 982b3eb8-cd6d-11e0-ad6e-525400deab7b
  objectclass: ipahbacservice, ipaobject

we should have vsftpd service instead of ftp. 

Additional info:

Adding hbac service name as "Service name: vsftpd" works as expected.
Comment 1 Martin Kosek 2011-08-24 12:33:14 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1703
Comment 2 Rob Crittenden 2011-08-25 12:32:27 UTC 
fixed upstream. Added new HBAC service for vsftpd as well as a few other ftp servers available, and created a hbac service group for ftp

master: a6b3309fe6a4767cab620a5b74d38db68880185f

ipa-2-1: 40c60c89efb9723edbe4394080b1f5c080cabacf
Comment 5 Gowrishankar Rajaiyan 2011-10-06 11:12:53 UTC 
Server:
[root@bumblebee ~]# ipa hostgroup-show hostgrp1
  Host-group: hostgrp1
  Description: test
  Member hosts: mudflap.lab.eng.pnq.redhat.com


[root@bumblebee ~]# ipa hbacsvcgroup-show ftp
  Service group name: ftp
  Description: Default group of ftp related services
  Member HBAC service: ftp, proftpd, pure-ftpd, gssftp, vsftpd


[root@bumblebee ~]# ipa hbacrule-find
--------------------
2 HBAC rules matched
--------------------
  Rule name: allow_all
  User category: all
  Host category: all
  Source host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: FALSE

  Rule name: rule1
  Enabled: TRUE
  Groups: ipausers
  Hosts: bumblebee.lab.eng.pnq.redhat.com
  Source host groups: hostgrp1
  Service Groups: ftp
----------------------------


Client:
[root@mudflap ~]# ftp bumblebee.lab.eng.pnq.redhat.com
Connected to bumblebee.lab.eng.pnq.redhat.com (10.65.201.64).
220 (vsFTPd 2.2.2)
Name (bumblebee.lab.eng.pnq.redhat.com:root): shanks
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 



Server:
[root@bumblebee ~]# ipa hbacrule-find
--------------------
2 HBAC rules matched
--------------------
  Rule name: allow_all
  User category: all
  Host category: all
  Source host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: FALSE

  Rule name: rule1
  Enabled: FALSE
  Groups: ipausers
  Hosts: bumblebee.lab.eng.pnq.redhat.com
  Source host groups: hostgrp1
  Service Groups: ftp
----------------------------


Client:
[root@mudflap ~]# ftp bumblebee.lab.eng.pnq.redhat.com
Connected to bumblebee.lab.eng.pnq.redhat.com (10.65.201.64).
220 (vsFTPd 2.2.2)
Name (bumblebee.lab.eng.pnq.redhat.com:root): shanks
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> q


/var/log/secure:
Oct  6 13:22:17 bumblebee vsftpd[9285]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=shanks rhost=mudflap.lab.eng.pnq.redhat.com  user=shanks
Oct  6 13:22:18 bumblebee vsftpd[9285]: pam_sss(vsftpd:auth): authentication success; logname= uid=0 euid=0 tty=ftp ruser=shanks rhost=mudflap.lab.eng.pnq.redhat.com user=shanks
Oct  6 13:22:18 bumblebee vsftpd[9285]: pam_sss(vsftpd:account): Access denied for user shanks: 6 (Permission denied)


Verified:
ipa-server-2.1.1-4.el6.x86_64
sssd-1.5.1-53.el6.x86_64
Comment 7 Martin Kosek 2011-11-01 13:47:24 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document
Comment 8 errata-xmlrpc 2011-12-06 18:30:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html
Note You need to log in before you can comment on or make changes to this bug.