Bug 736276 – ipa hbactest fails if sourcehost is external.

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 736276 - ipa hbactest fails if sourcehost is external.

Summary:	ipa hbactest fails if sourcehost is external.

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	6.2
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:

URL:
Whiteboard:
Keywords:

Duplicates:	740860 (view as bug list)
Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2011-09-07 04:59 EDT by Gowrishankar Rajaiyan
Modified:	2015-01-04 18:50 EST (History)
CC List:	4 users (show)

See Also:
Fixed In Version:	ipa-2.1.2-1.el6
Doc Type:	Bug Fix
Doc Text:	Do not document
Story Points:	---
Clone Of:
Environment:
Last Closed:	2011-12-06 13:30:48 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1533	normal	SHIPPED_LIVE	Moderate: ipa security and bug fix update	2011-12-05 20:23:31 EST

Groups: None (edit)

Description Gowrishankar Rajaiyan 2011-09-07 04:59:59 EDT

Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.1.0-105.20110905T0552zgit5d9756d.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create an hbacrule as:
# ipa hbacrule-show rule2 --all
  dn: ipauniqueid=bcc94bbe-d91d-11e0-aafb-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Rule name: rule2
  Enabled: TRUE
  Users: shanks
  Hosts: bumblebee.lab.eng.pnq.redhat.com
  Source hosts: mudflap.lab.eng.pnq.redhat.com
  Services: vsftpd
  accessruletype: allow
  ipauniqueid: bcc94bbe-d91d-11e0-aafb-525400deab7b
  objectclass: ipaassociation, ipahbacrule

2. Add external host as source host.
ipa hbacrule-add-sourcehost rule2 --hosts=external.lab.eng.pnq.redhat.com

3. # ipa hbacrule-show rule2 --all
  dn: ipauniqueid=bcc94bbe-d91d-11e0-aafb-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Rule name: rule2
  Enabled: TRUE
  Users: shanks
  Hosts: bumblebee.lab.eng.pnq.redhat.com
  Source hosts: mudflap.lab.eng.pnq.redhat.com
  Services: vsftpd
  External host: external.lab.eng.pnq.redhat.com
  accessruletype: allow
  ipauniqueid: bcc94bbe-d91d-11e0-aafb-525400deab7b
  objectclass: ipaassociation, ipahbacrule

4. ipa hbactest --user=shanks --srchost=external.lab.eng.pnq.redhat.com --host=bumblebee.lab.eng.pnq.redhat.com --service=vsftpd --rule=rule2
  
Actual results:
# ipa hbactest --user=shanks --srchost=external.lab.eng.pnq.redhat.com --host=bumblebee.lab.eng.pnq.redhat.com --service=vsftpd --rule=rule2
---------------------
Access granted: False
---------------------
  notmatched: rule2


Expected results:
# ipa hbactest --user=shanks --srchost=external.lab.eng.pnq.redhat.com --host=bumblebee.lab.eng.pnq.redhat.com --service=vsftpd --rule=rule2
---------------------
Access granted: True
---------------------
  matched: rule2

Additional info:

Comment 2 Martin Kosek 2011-09-07 06:11:37 EDT

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1763

Comment 3 Martin Kosek 2011-09-13 07:17:01 EDT

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/261a41b3d4e78f7563a4cc72ebd2b4db42fac3bf
ipa-2-1: https://fedorahosted.org/freeipa/changeset/e77bc923c6f7839a38e2af43efd87b92a669c86e

Comment 4 Gowrishankar Rajaiyan 2011-09-27 02:30:33 EDT

*** Bug 740860 has been marked as a duplicate of this bug. ***

Comment 7 Gowrishankar Rajaiyan 2011-10-08 09:04:35 EDT

[root@bumblebee ~]#  ipa hbacrule-show rule2 --all
  dn: ipauniqueid=6610ff46-f1e2-11e0-b1e8-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Rule name: rule2
  Enabled: TRUE
  Users: shanks
  Hosts: bumblebee.lab.eng.pnq.redhat.com
  Source Hosts: mudflap.lab.eng.pnq.redhat.com
  Services: vsftpd
  accessruletype: allow
  ipauniqueid: 6610ff46-f1e2-11e0-b1e8-525400deab7b
  objectclass: ipaassociation, ipahbacrule
[root@bumblebee ~]# 

[root@bumblebee ~]# ipa hbacrule-add-sourcehost rule2 --hosts=external.lab.eng.pnq.redhat.com
  Rule name: rule2
  Enabled: TRUE
  Users: shanks
  Hosts: bumblebee.lab.eng.pnq.redhat.com
  Source Hosts: mudflap.lab.eng.pnq.redhat.com
  Services: vsftpd
  External host: external.lab.eng.pnq.redhat.com
-------------------------
Number of members added 1
-------------------------

[root@bumblebee ~]# ipa hbacrule-show rule2 --all
  dn: ipauniqueid=6610ff46-f1e2-11e0-b1e8-525400deab7b,cn=hbac,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com
  Rule name: rule2
  Enabled: TRUE
  Users: shanks
  Hosts: bumblebee.lab.eng.pnq.redhat.com
  Source Hosts: mudflap.lab.eng.pnq.redhat.com
  Services: vsftpd
  External host: external.lab.eng.pnq.redhat.com
  accessruletype: allow
  ipauniqueid: 6610ff46-f1e2-11e0-b1e8-525400deab7b
  objectclass: ipaassociation, ipahbacrule
[root@bumblebee ~]# 

[root@bumblebee ~]# ipa hbactest --user=shanks --srchost=external.lab.eng.pnq.redhat.com --host=bumblebee.lab.eng.pnq.redhat.com --service=vsftpd --rule=rule2
--------------------
Access granted: True
--------------------
  matched: rule2
[root@bumblebee ~]# 


Verified.
[root@bumblebee ~]# rpm -qi ipa-server
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.2                             Vendor: Red Hat, Inc.
Release     : 2.el6                         Build Date: Fri 07 Oct 2011 05:09:04 PM EDT
Install Date: Sat 08 Oct 2011 07:36:33 AM EDT      Build Host: x86-001.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.2-2.el6.src.rpm
Size        : 3363225                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server

Comment 8 Martin Kosek 2011-11-01 09:18:35 EDT

hbactest is post-6.1 feature.

Comment 9 Martin Kosek 2011-11-01 09:18:35 EDT

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document

Comment 10 errata-xmlrpc 2011-12-06 13:30:48 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html

Note You need to log in before you can comment on or make changes to this bug.