Bug 848531 - hbactest does not work with trusted users
hbactest does not work with trusted users
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
IDM QE LIST
:
Depends On: 1049533 1446178
Blocks: 1446176
  Show dependency treegraph
 
Reported: 2012-08-15 16:23 EDT by Dmitri Pal
Modified: 2017-04-27 08:00 EDT (History)
5 users (show)

See Also:
Fixed In Version: ipa-3.3.3-11.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1446176 (view as bug list)
Environment:
Last Closed: 2014-06-13 08:41:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dmitri Pal 2012-08-15 16:23:35 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2997

[root@rasalghul ~]# ipa group-show ext_test --all
  dn: cn=ext_test,cn=groups,cn=accounts,dc=ipalab,dc=qe
  Group name: ext_test
  Description: External test group
  Member of groups: local_ipa_group
  Indirect Member of HBAC rule: fuser_sshd
  ipaexternalmember: S-1-5-21-3655990580-1375374850-1633065477-1104,
                     S-1-5-21-3655990580-1375374850-1633065477-1106,
                     S-1-5-21-3655990580-1375374850-1633065477-513
  ipauniqueid: b022c278-dfd4-11e1-990d-525400f8a02f
  objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, ipaexternalgroup

[root@rasalghul ~]# ipa group-show local_ipa_group
  Group name: local_ipa_group
  Description: Local IPA Group
  GID: 592000004
  Member groups: ext_test
  Member of HBAC rule: fuser_sshd

[root@rasalghul ~]# ipa hbacsvcgroup-show sshders
  Service group name: sshders
  Description: Default group for ssh
  Member HBAC service: sshd

[root@rasalghul ~]# ipa hbacrule-find
--------------------
2 HBAC rules matched
--------------------
  Rule name: allow_all
  User category: all
  Host category: all
  Source host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: FALSE

  Rule name: fuser_sshd
  Host category: all
  Source host category: all
  Enabled: TRUE
  User Groups: local_ipa_group
  Service Groups: sshders
----------------------------
Number of entries returned 2
----------------------------

[root@rasalghul ~]# ipa hbactest
User name: S-1-5-21-3655990580-1375374850-1633065477-513
Target host: rasalghul.ipalab.qe
Service: sshd
---------------------
Access granted: False
---------------------
  Not matched rules: fuser_sshd

[root@rasalghul ~]# ipa hbactest
User name: S-1-5-21-3655990580-1375374850-1633065477-1104
Target host: rasalghul.ipalab.qe
Service: sshd
---------------------
Access granted: False
---------------------
  Not matched rules: fuser_sshd

[root@rasalghul ~]# rpm -qa | grep freeipa-server
freeipa-server-selinux-2.99.0-0.20120812T2023Zgit94d457e.fc17.x86_64
freeipa-server-trust-ad-2.99.0-0.20120812T2023Zgit94d457e.fc17.x86_64
freeipa-server-2.99.0-0.20120812T2023Zgit94d457e.fc17.x86_64
Comment 2 Martin Kosek 2013-02-14 02:43:48 EST
Fixed upstream:

master:
b8079f9ed4ba9632c77fa973aa2247a4d30434fa Fix hbachelp examples formatting
85d16ad7de4cd52e349ee2a7c8ed9b0d72657d33 Add support for AD users to hbactest command
d79aac855b31523b8dd7efcfd0bea3feb59cdaa0 Do not hide SID resolver error in group-add-member
e60e80e2b6710e581e417d9e7e05cea21ba9f6b0 Generalize AD GC search

ipa-3-1:
2f52d04f1c111b350e70f3f2b936630126e63684 Fix hbachelp examples formatting
0946e6f5ff5747c444ebdf33569e41ed42bc7f5a Add support for AD users to hbactest command
7a01ecb6adb6ed56462df32b7bc56952b25667c6 Do not hide SID resolver error in group-add-member
406d92950d1afb1213c3677cc4138ca4e8b4aff5 Generalize AD GC search


hbactest --user option will now accept and test HBAC for trusted domain users or trusted domain user SIDs. See "ipa help hbactest" for help or examples.
Comment 5 Scott Poore 2014-01-09 13:06:44 EST
This appears to still be an issue in later versions:

ipa-server-3.3.3-10.el7.x86_64

[root@rhel7-1 ~]# ipa hbacrule-add-user testrule --groups=ad2_adgroup1
  Rule name: testrule
  Enabled: TRUE
  User Groups: ad2_adgroup1
  Hosts: rhel7-1.ipa1.example.test
  Services: sshd
-------------------------
Number of members added 1
-------------------------

[root@rhel7-1 ~]# ipa group-show ad2_adgroup1
  Group name: ad2_adgroup1
  Description: ad2 adgroup1 posix group
  GID: 114000006
  Member groups: ad2_adgroup1_external
  Member of Sudo rule: testrule
  Member of HBAC rule: testrule

[root@rhel7-1 ~]# ipa group-show --all ad2_adgroup1_external
  dn: cn=ad2_adgroup1_external,cn=groups,cn=accounts,dc=ipa1,dc=example,dc=test
  Group name: ad2_adgroup1_external
  Description: ad2 adgroup1 external group
  Member of groups: ad2_adgroup1
  Indirect Member of Sudo rule: testrule
  Indirect Member of HBAC rule: testrule
  External member: S-1-5-21-1515602834-2930230041-3336973146-1131
  ipauniqueid: b6b1aec2-7945-11e3-a5ac-0000c0a87a47
  objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, ipaexternalgroup

[root@rhel7-1 ~]# wbinfo -s S-1-5-21-1515602834-2930230041-3336973146-1131
AD2\adgroup1 2

[root@rhel7-1 ~]# id 'AD2\Aduser1'
uid=551801125(aduser1@ad2.example.test) gid=551801125(aduser1@ad2.example.test) groups=551801125(aduser1@ad2.example.test),551800513(domain users@ad2.example.test),551801131(adgroup1@ad2.example.test),114000006(ad2_adgroup1)

[root@rhel7-1 ~]# ipa hbactest --user 'AD2\aduser1' --host $(hostname) --service sshd
--------------------
Access granted: True
--------------------
  Matched rules: allow_all
  Not matched rules: testrule
Comment 6 Martin Kosek 2014-01-10 06:46:48 EST
Thanks Scott, good catch. I investigated the issue and found out that this is a regression introduced in a FreeIPA 3.3 ticket:
https://fedorahosted.org/freeipa/ticket/3803

I prepared a patch fixing the issue and submitted upstream.
Comment 9 Scott Poore 2014-01-10 11:43:58 EST
Verified.

Version ::

ipa-server-3.3.3-11.el7.x86_64

Test Results ::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa_trust_func_bug_848531:  hbactest does not work with trusted users
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'kdestroy -A' (Expected 0, got 0)
:: [ 10:18:59 ] ::  Create group for testing bug
-------------------------------
Added group "bz848531_external"
-------------------------------
  Group name: bz848531_external
  Description: 0
:: [   PASS   ] :: Running 'ipa group-add --desc=0 bz848531_external --external' (Expected 0, got 0)
----------------------
Added group "bz848531"
----------------------
  Group name: bz848531
  Description: 0
  GID: 1150600009
:: [   PASS   ] :: Running 'ipa group-add --desc=0 bz848531' (Expected 0, got 0)
  Group name: bz848531
  Description: 0
  GID: 1150600009
  Member groups: bz848531_external
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Running 'ipa group-add-member bz848531 --groups=bz848531_external' (Expected 0, got 0)
  Group name: bz848531_external
  Description: 0
  External member: S-1-5-21-1515602834-2930230041-3336973146-1131
  Member of groups: bz848531
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Running 'ipa group-add-member bz848531_external             --external='AD2.EXAMPLE.TEST\adgroup1' --users='' --groups=''' (Expected 0, got 0)
:: [ 10:19:06 ] ::  Create HBAC rule
--------------------------
Added HBAC rule "bz848531"
--------------------------
  Rule name: bz848531
  Enabled: TRUE
:: [   PASS   ] :: Running 'ipa hbacrule-add bz848531' (Expected 0, got 0)
  Rule name: bz848531
  Enabled: TRUE
  Hosts: rhel7-1.ipa1.example.test
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Running 'ipa hbacrule-add-host bz848531 --hosts=rhel7-1.ipa1.example.test' (Expected 0, got 0)
  Rule name: bz848531
  Enabled: TRUE
  Hosts: rhel7-1.ipa1.example.test
  Services: sshd
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Running 'ipa hbacrule-add-service bz848531 --hbacsvcs=sshd' (Expected 0, got 0)
  Rule name: bz848531
  Enabled: TRUE
  User Groups: bz848531
  Hosts: rhel7-1.ipa1.example.test
  Services: sshd
-------------------------
Number of members added 1
-------------------------
:: [   PASS   ] :: Running 'ipa hbacrule-add-user bz848531 --groups=bz848531' (Expected 0, got 0)
:: [ 10:19:11 ] ::  Test hbactest
:: [   PASS   ] :: Running 'ipa hbactest --host=rhel7-1.ipa1.example.test --service=sshd --user='AD2\aduser1' > /tmp/tmpout.ipa_trust_func_bug_848531 2>&1' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmpout.ipa_trust_func_bug_848531' should contain 'Matched rules: bz848531' 
:: [   PASS   ] :: BZ848531 not found 
:: [ 10:19:13 ] ::  Cleanup groups and hbacrule
----------------------------
Deleted HBAC rule "bz848531"
----------------------------
:: [   PASS   ] :: Running 'ipa hbacrule-del bz848531' (Expected 0, got 0)
------------------------
Deleted group "bz848531"
------------------------
:: [   PASS   ] :: Running 'ipa group-del bz848531' (Expected 0, got 0)
---------------------------------
Deleted group "bz848531_external"
---------------------------------
:: [   PASS   ] :: Running 'ipa group-del bz848531_external' (Expected 0, got 0)
Comment 10 Ludek Smid 2014-06-13 08:41:27 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.