Red Hat Bugzilla – Bug 732996
Access denied by HBAC rules while using the default ftp hbac service.
Last modified: 2015-01-04 18:50:44 EST
Description of problem: Version-Release number of selected component (if applicable): ipa-server-2.1.0-1.20110823T0253zgit3a9f626.el6.x86_64 How reproducible: Steps to Reproduce: 1. By default we have ftp as one of the services. # ipa hbacsvc-show ftp --all dn: cn=ftp,cn=hbacservices,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Service name: ftp Description: ftp ipauniqueid: 982c8bec-cd6d-11e0-b011-525400deab7b objectclass: ipahbacservice, ipaobject 2. However, using this service in a hbacrule fails since the service that we look for from the ipa-client is "service: vsftpd". Actual results: <snip> (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler] (4): Got request with the following data (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): command: PAM_AUTHENTICATE (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): domain: lab.eng.pnq.redhat.com (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): user: user1 (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): service: vsftpd <<<<<<<<<<<< (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): tty: ftp (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): ruser: user1 (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): rhost: ironhide.lab.eng.pnq.redhat.com (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): authtok type: 1 (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): authtok size: 10 (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): newauthtok type: 0 (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): newauthtok size: 0 (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): priv: 0 (Tue Aug 23 09:24:59 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [pam_print_data] (4): cli_pid: 11265 </snip> and [ipa_hbac_evaluate_rules] (3): Access denied by HBAC rules Expected results: like we have for ssh: # ipa hbacsvc-show sshd --all dn: cn=sshd,cn=hbacservices,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Service name: sshd Description: sshd ipauniqueid: 982b3eb8-cd6d-11e0-ad6e-525400deab7b objectclass: ipahbacservice, ipaobject we should have vsftpd service instead of ftp. Additional info: Adding hbac service name as "Service name: vsftpd" works as expected.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/1703
fixed upstream. Added new HBAC service for vsftpd as well as a few other ftp servers available, and created a hbac service group for ftp master: a6b3309fe6a4767cab620a5b74d38db68880185f ipa-2-1: 40c60c89efb9723edbe4394080b1f5c080cabacf
Server: [root@bumblebee ~]# ipa hostgroup-show hostgrp1 Host-group: hostgrp1 Description: test Member hosts: mudflap.lab.eng.pnq.redhat.com [root@bumblebee ~]# ipa hbacsvcgroup-show ftp Service group name: ftp Description: Default group of ftp related services Member HBAC service: ftp, proftpd, pure-ftpd, gssftp, vsftpd [root@bumblebee ~]# ipa hbacrule-find -------------------- 2 HBAC rules matched -------------------- Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: FALSE Rule name: rule1 Enabled: TRUE Groups: ipausers Hosts: bumblebee.lab.eng.pnq.redhat.com Source host groups: hostgrp1 Service Groups: ftp ---------------------------- Client: [root@mudflap ~]# ftp bumblebee.lab.eng.pnq.redhat.com Connected to bumblebee.lab.eng.pnq.redhat.com (10.65.201.64). 220 (vsFTPd 2.2.2) Name (bumblebee.lab.eng.pnq.redhat.com:root): shanks 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> Server: [root@bumblebee ~]# ipa hbacrule-find -------------------- 2 HBAC rules matched -------------------- Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: FALSE Rule name: rule1 Enabled: FALSE Groups: ipausers Hosts: bumblebee.lab.eng.pnq.redhat.com Source host groups: hostgrp1 Service Groups: ftp ---------------------------- Client: [root@mudflap ~]# ftp bumblebee.lab.eng.pnq.redhat.com Connected to bumblebee.lab.eng.pnq.redhat.com (10.65.201.64). 220 (vsFTPd 2.2.2) Name (bumblebee.lab.eng.pnq.redhat.com:root): shanks 331 Please specify the password. Password: 530 Login incorrect. Login failed. ftp> q /var/log/secure: Oct 6 13:22:17 bumblebee vsftpd[9285]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=shanks rhost=mudflap.lab.eng.pnq.redhat.com user=shanks Oct 6 13:22:18 bumblebee vsftpd[9285]: pam_sss(vsftpd:auth): authentication success; logname= uid=0 euid=0 tty=ftp ruser=shanks rhost=mudflap.lab.eng.pnq.redhat.com user=shanks Oct 6 13:22:18 bumblebee vsftpd[9285]: pam_sss(vsftpd:account): Access denied for user shanks: 6 (Permission denied) Verified: ipa-server-2.1.1-4.el6.x86_64 sssd-1.5.1-53.el6.x86_64
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Do not document
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html