Bug 741767 - HBAC: typos preventing proper hostgroup evaluation
HBAC: typos preventing proper hostgroup evaluation
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
All Linux
unspecified Severity high
: ---
: ---
Assigned To: Stephen Gallagher
Fedora Extras Quality Assurance
Depends On: 741751 748883
  Show dependency treegraph
Reported: 2011-09-27 16:17 EDT by Jr Aquino
Modified: 2011-11-02 14:50 EDT (History)
5 users (show)

See Also:
Fixed In Version: sssd-1.5.14-3.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-11-02 14:50:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
FedoraHosted SSSD 1018 None None None Never

  None (edit)
Description Jr Aquino 2011-09-27 16:17:13 EDT
Description of problem:
Two typos in sssd broke host group support in the HBAC rewrite.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create FreeIPA hbacrule with a posixgroup and hostgroup.
2. Try to ssh into a host which is a member of the hostgroup
3. Authorization is denied
Actual results:
HBAC Rule doesn't match the host due to typos

Expected results:
HBAC Rule Permits the login

Additional info:
Comment 1 Dmitri Pal 2011-09-27 18:21:53 EDT
Can you provide an example of the typo? Is it the typo in the rule values on the server or something else?
Comment 2 Jr Aquino 2011-09-27 18:27:57 EDT
This is addressed by Stephen Gallagher's patch.  It just needs to make sure it finds its way up into Redhat for 5.x and 6.x fixes as it is a blocking issue.

The typo was looking in the wrong container for hbac hostgroups if I understand correctly.

From 52debcfac8f73629cd7ad3dabc428c3a6a652ba4 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 27 Sep 2011 15:04:33 -0400
Subject: [PATCH] HBAC: fix typos preventing proper hostgroup evaluation

 src/providers/ipa/ipa_hbac_common.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
index a9be90b846d7b6ae2e8b59a6d4446294ca90d78a..97784c02c7d0cbf8bc061cdd1ee451d926522ca6 100644
--- a/src/providers/ipa/ipa_hbac_common.c
+++ b/src/providers/ipa/ipa_hbac_common.c
@@ -805,7 +805,7 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx,
     struct ldb_message **msgs;
     const char *group_name;
     struct ldb_dn *host_dn;
-    const char *attrs[] = { IPA_HOST_FQDN, NULL };
+    const char *attrs[] = { IPA_CN, NULL };
     const char *host_filter;
     tmp_ctx = talloc_new(mem_ctx);
@@ -842,7 +842,7 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx,
     host_dn = sysdb_custom_dn(sysdb, tmp_ctx, domain->name,
-                             host->name, HBAC_SERVICES_SUBDIR);
+                             host->name, HBAC_HOSTS_SUBDIR);
     if (host_dn == NULL) {
         ret = ENOMEM;
         goto done;
@@ -867,7 +867,7 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx,
     for (i = 0; i < count; i++) {
         group_name = ldb_msg_find_attr_as_string(msgs[i],
-                                                 IPA_HOST_FQDN,
+                                                 IPA_CN,
         if (group_name == NULL) {
             DEBUG(1, ("Group with no name?\n"));
Comment 3 Jakub Hrozek 2011-10-20 10:31:35 EDT
This was fixed upstream in https://fedorahosted.org/sssd/ticket/1018 and will be fixed in 1.5.14/1.6.2

Note You need to log in before you can comment on or make changes to this bug.