Bug 741767 - HBAC: typos preventing proper hostgroup evaluation
Summary: HBAC: typos preventing proper hostgroup evaluation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 15
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Stephen Gallagher
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 741751 748883
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-27 20:17 UTC by Jr Aquino
Modified: 2011-11-02 18:50 UTC (History)
5 users (show)

Fixed In Version: sssd-1.5.14-3.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-11-02 18:50:54 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
FedoraHosted SSSD 1018 0 None None None Never

Description Jr Aquino 2011-09-27 20:17:13 UTC 
Description of problem:
Two typos in sssd broke host group support in the HBAC rewrite.

Version-Release number of selected component (if applicable):
sssd-1.5

How reproducible:
100%

Steps to Reproduce:
1. Create FreeIPA hbacrule with a posixgroup and hostgroup.
2. Try to ssh into a host which is a member of the hostgroup
3. Authorization is denied
  
Actual results:
HBAC Rule doesn't match the host due to typos

Expected results:
HBAC Rule Permits the login

Additional info:
Comment 1 Dmitri Pal 2011-09-27 22:21:53 UTC 
Can you provide an example of the typo? Is it the typo in the rule values on the server or something else?
Comment 2 Jr Aquino 2011-09-27 22:27:57 UTC 
This is addressed by Stephen Gallagher's patch.  It just needs to make sure it finds its way up into Redhat for 5.x and 6.x fixes as it is a blocking issue.

The typo was looking in the wrong container for hbac hostgroups if I understand correctly.

From 52debcfac8f73629cd7ad3dabc428c3a6a652ba4 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh>
Date: Tue, 27 Sep 2011 15:04:33 -0400
Subject: [PATCH] HBAC: fix typos preventing proper hostgroup evaluation

---
 src/providers/ipa/ipa_hbac_common.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
index a9be90b846d7b6ae2e8b59a6d4446294ca90d78a..97784c02c7d0cbf8bc061cdd1ee451d926522ca6 100644
--- a/src/providers/ipa/ipa_hbac_common.c
+++ b/src/providers/ipa/ipa_hbac_common.c
@@ -805,7 +805,7 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx,
     struct ldb_message **msgs;
     const char *group_name;
     struct ldb_dn *host_dn;
-    const char *attrs[] = { IPA_HOST_FQDN, NULL };
+    const char *attrs[] = { IPA_CN, NULL };
     const char *host_filter;
 
     tmp_ctx = talloc_new(mem_ctx);
@@ -842,7 +842,7 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx,
     }
 
     host_dn = sysdb_custom_dn(sysdb, tmp_ctx, domain->name,
-                             host->name, HBAC_SERVICES_SUBDIR);
+                             host->name, HBAC_HOSTS_SUBDIR);
     if (host_dn == NULL) {
         ret = ENOMEM;
         goto done;
@@ -867,7 +867,7 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx,
 
     for (i = 0; i < count; i++) {
         group_name = ldb_msg_find_attr_as_string(msgs[i],
-                                                 IPA_HOST_FQDN,
+                                                 IPA_CN,
                                                  NULL);
         if (group_name == NULL) {
             DEBUG(1, ("Group with no name?\n"));
-- 
1.7.6.2
Comment 3 Jakub Hrozek 2011-10-20 14:31:35 UTC 
This was fixed upstream in https://fedorahosted.org/sssd/ticket/1018 and will be fixed in 1.5.14/1.6.2
Note You need to log in before you can comment on or make changes to this bug.