Hide Forgot
Description of problem: HBAC rules configured on a FreeIPA server can be set up to limit access to particular hosts or groups of hosts. There is a bug in SSSD that fails to properly process host-groups. The effect of this is that users cannot log into the machine unless it is specified explicitly (instead of as a member of a hostgroup) in the rule. Version-Release number of selected component (if applicable): sssd-1.5.1-52.el6 How reproducible: Every time Steps to Reproduce: 1. On the FreeIPA server, create a hostgroup and add a host to it. 2. Create an HBAC rule that allows access based on the hostgroup above (set all other features of the rule to the ALL hostcat for easy testing. 3. Disable all other rules (so only this one is active). 4. On the client host, attempt to log in with a valid FreeIPA user. Actual results: The user is denied. Expected results: The user is granted access. Additional info:
Upstream ticket: https://fedorahosted.org/sssd/ticket/1018
Server: [root@bumblebee ~]# ipa hostgroup-find ------------------- 1 hostgroup matched ------------------- Host-group: hostgrp1 Description: test Member hosts: mudflap.lab.eng.pnq.redhat.com ---------------------------- [root@bumblebee ~]# ipa hbacrule-find -------------------- 2 HBAC rules matched -------------------- Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: FALSE Rule name: rule1 Enabled: TRUE Groups: ipausers Hosts: bumblebee.lab.eng.pnq.redhat.com Source host groups: hostgrp1 Services: sshd ---------------------------- Client: [root@mudflap ~]# ssh -l shanks bumblebee.lab.eng.pnq.redhat.com shanks.eng.pnq.redhat.com's password: Last login: Thu Oct 6 07:40:33 2011 from mudflap.lab.eng.pnq.redhat.com Server: [root@bumblebee ~]# ipa hbacrule-disable rule1 -------------------------- Disabled HBAC rule "rule1" -------------------------- [root@bumblebee ~]# ipa hbacrule-find -------------------- 2 HBAC rules matched -------------------- Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: FALSE Rule name: rule1 Enabled: FALSE Groups: ipausers Hosts: bumblebee.lab.eng.pnq.redhat.com Source host groups: hostgrp1 Services: sshd ---------------------------- Client: [root@mudflap ~]# ssh -l shanks bumblebee.lab.eng.pnq.redhat.com shanks.eng.pnq.redhat.com's password: Connection closed by 10.65.201.64 Verified. ipa-server-2.1.1-4.el6.x86_64 sssd-1.5.1-53.el6.x86_64
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Do not document
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1529.html