Bug 741751 - HBAC rule evaluation does not properly handle host groups
HBAC rule evaluation does not properly handle host groups
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.2
All Linux
urgent Severity urgent
: rc
: 6.2
Assigned To: Stephen Gallagher
IDM QE LIST
:
Depends On:
Blocks: 741767 748883
  Show dependency treegraph
 
Reported: 2011-09-27 15:58 EDT by Stephen Gallagher
Modified: 2011-12-06 11:40 EST (History)
6 users (show)

See Also:
Fixed In Version: sssd-1.5.1-53.el6
Doc Type: Bug Fix
Doc Text:
Do not document
Story Points: ---
Clone Of:
: 748883 (view as bug list)
Environment:
Last Closed: 2011-12-06 11:40:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stephen Gallagher 2011-09-27 15:58:15 EDT
Description of problem:
HBAC rules configured on a FreeIPA server can be set up to limit access to particular hosts or groups of hosts. There is a bug in SSSD that fails to properly process host-groups. The effect of this is that users cannot log into the machine unless it is specified explicitly (instead of as a member of a hostgroup) in the rule.

Version-Release number of selected component (if applicable):
sssd-1.5.1-52.el6

How reproducible:
Every time

Steps to Reproduce:
1. On the FreeIPA server, create a hostgroup and add a host to it.
2. Create an HBAC rule that allows access based on the hostgroup above (set all other features of the rule to the ALL hostcat for easy testing.
3. Disable all other rules (so only this one is active).
4. On the client host, attempt to log in with a valid FreeIPA user.
  
Actual results:
The user is denied.

Expected results:
The user is granted access.


Additional info:
Comment 2 Stephen Gallagher 2011-09-30 07:59:01 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1018
Comment 5 Gowrishankar Rajaiyan 2011-10-06 01:35:09 EDT
Server:
[root@bumblebee ~]# ipa hostgroup-find
-------------------
1 hostgroup matched
-------------------
  Host-group: hostgrp1
  Description: test
  Member hosts: mudflap.lab.eng.pnq.redhat.com
----------------------------


[root@bumblebee ~]# ipa hbacrule-find
--------------------
2 HBAC rules matched
--------------------
  Rule name: allow_all
  User category: all
  Host category: all
  Source host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: FALSE

  Rule name: rule1
  Enabled: TRUE
  Groups: ipausers
  Hosts: bumblebee.lab.eng.pnq.redhat.com
  Source host groups: hostgrp1
  Services: sshd
----------------------------

Client:
[root@mudflap ~]# ssh -l shanks bumblebee.lab.eng.pnq.redhat.com
shanks@bumblebee.lab.eng.pnq.redhat.com's password: 
Last login: Thu Oct  6 07:40:33 2011 from mudflap.lab.eng.pnq.redhat.com

Server:
[root@bumblebee ~]# ipa hbacrule-disable rule1
--------------------------
Disabled HBAC rule "rule1"
--------------------------
[root@bumblebee ~]# ipa hbacrule-find 
--------------------
2 HBAC rules matched
--------------------
  Rule name: allow_all
  User category: all
  Host category: all
  Source host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: FALSE

  Rule name: rule1
  Enabled: FALSE
  Groups: ipausers
  Hosts: bumblebee.lab.eng.pnq.redhat.com
  Source host groups: hostgrp1
  Services: sshd
----------------------------

Client:
[root@mudflap ~]# ssh -l shanks bumblebee.lab.eng.pnq.redhat.com
shanks@bumblebee.lab.eng.pnq.redhat.com's password: 
Connection closed by 10.65.201.64


Verified.
ipa-server-2.1.1-4.el6.x86_64
sssd-1.5.1-53.el6.x86_64
Comment 6 Jakub Hrozek 2011-10-27 10:32:11 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document
Comment 7 errata-xmlrpc 2011-12-06 11:40:16 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1529.html

Note You need to log in before you can comment on or make changes to this bug.