Bug 734706 - ipa hbactest does not evaluate users from groups in an hbacrule.
Summary: ipa hbactest does not evaluate users from groups in an hbacrule.
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
Depends On:
TreeView+ depends on / blocked
Reported: 2011-08-31 08:28 UTC by Gowrishankar Rajaiyan
Modified: 2015-01-04 23:50 UTC (History)
4 users (show)

Fixed In Version: ipa-2.1.2-1.el6
Doc Type: Bug Fix
Doc Text:
Do not document
Clone Of:
Last Closed: 2011-12-06 18:30:37 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Gowrishankar Rajaiyan 2011-08-31 08:28:37 UTC
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create a ipa user. 
2. Create an hbacrule with ipausers group.

[root@bumblebee ~]# ipa group-show ipausers
  Group name: ipausers
  Description: Default group for all users
  GID: 1798000001
  Member users: user1, user2

[root@bumblebee ~]# ipa hbacrule-show ssh --all
  dn: ipauniqueid=af2c57e6-cfed-11e0-8fa4-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Rule name: ssh
  Source host category: all
  Enabled: TRUE
  Groups: admins, ipausers
  Hosts: ironhide.lab.eng.pnq.redhat.com
  Services: sshd
  accessruletype: allow
  ipauniqueid: af2c57e6-cfed-11e0-8fa4-525400deab7b
  objectclass: ipaassociation, ipahbacrule
[root@bumblebee ~]# 

3. Execute the ipa hbactest to evaluate and check the access for user1 is true or false

4. [root@bumblebee ~]# ipa hbactest --user=user1 --srchost=all --host=ironhide.lab.eng.pnq.redhat.com --service=sshd

Actual results:

[root@bumblebee ~]# ipa hbactest --user=user1 --srchost=all --host=ironhide.lab.eng.pnq.redhat.com --service=sshd

Access granted: False
  notmatched: rule1
  notmatched: ssh

Expected results:

Should be "True", since user1 belongs to ipausers.

Additional info:

Comment 1 Gowrishankar Rajaiyan 2011-08-31 08:31:50 UTC
Upstream ticket:

Comment 3 Jenny Severance 2011-08-31 15:12:35 UTC
This is the biggest use case, users in a group are allowed access or not...

Comment 4 Rob Crittenden 2011-09-12 18:18:31 UTC
Fixed upstream:

master: 1bdb5d04fe14c92c57a4ef151be9c2eda7ca705f

ipa-2-1: 452863dcbaf1a82b0a879e3a2f3e58ffa1803c2f

Comment 7 Gowrishankar Rajaiyan 2011-10-08 13:26:06 UTC
[root@bumblebee ~]# ipa hbacrule-add-user rule2 
[member user]: 
[member group]: ipausers
  Rule name: rule2
  Enabled: TRUE
  User Groups: ipausers
  Hosts: bumblebee.lab.eng.pnq.redhat.com
  Source Hosts: mudflap.lab.eng.pnq.redhat.com
  Services: vsftpd
  External host: external.lab.eng.pnq.redhat.com
Number of members added 1
[root@bumblebee ~]# ipa hbactest --user=shanks --srchost=external.lab.eng.pnq.redhat.com --host=bumblebee.lab.eng.pnq.redhat.com --service=vsftpd 
Access granted: True
  matched: rule2

# rpm -qi ipa-server
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.2                             Vendor: Red Hat, Inc.
Release     : 2.el6                         Build Date: Fri 07 Oct 2011 05:09:04 PM EDT
Install Date: Sat 08 Oct 2011 07:36:33 AM EDT      Build Host: x86-001.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.2-2.el6.src.rpm
Size        : 3363225                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server

Comment 9 Martin Kosek 2011-11-01 13:26:03 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    New Contents:
Do not document

Comment 10 errata-xmlrpc 2011-12-06 18:30:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.