Bug 848531
| Summary: | hbactest does not work with trusted users | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Dmitri Pal <dpal> | |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | IDM QE LIST <seceng-idm-qe-list> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 7.0 | CC: | atolani, jgalipea, mkosek, sgoveas, spoore | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | ipa-3.3.3-11.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1446176 (view as bug list) | Environment: | ||
| Last Closed: | 2014-06-13 12:41:27 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1049533, 1446178 | |||
| Bug Blocks: | 1446176 | |||
|
Description
Dmitri Pal
2012-08-15 20:23:35 UTC
Fixed upstream: master: b8079f9ed4ba9632c77fa973aa2247a4d30434fa Fix hbachelp examples formatting 85d16ad7de4cd52e349ee2a7c8ed9b0d72657d33 Add support for AD users to hbactest command d79aac855b31523b8dd7efcfd0bea3feb59cdaa0 Do not hide SID resolver error in group-add-member e60e80e2b6710e581e417d9e7e05cea21ba9f6b0 Generalize AD GC search ipa-3-1: 2f52d04f1c111b350e70f3f2b936630126e63684 Fix hbachelp examples formatting 0946e6f5ff5747c444ebdf33569e41ed42bc7f5a Add support for AD users to hbactest command 7a01ecb6adb6ed56462df32b7bc56952b25667c6 Do not hide SID resolver error in group-add-member 406d92950d1afb1213c3677cc4138ca4e8b4aff5 Generalize AD GC search hbactest --user option will now accept and test HBAC for trusted domain users or trusted domain user SIDs. See "ipa help hbactest" for help or examples. This appears to still be an issue in later versions: ipa-server-3.3.3-10.el7.x86_64 [root@rhel7-1 ~]# ipa hbacrule-add-user testrule --groups=ad2_adgroup1 Rule name: testrule Enabled: TRUE User Groups: ad2_adgroup1 Hosts: rhel7-1.ipa1.example.test Services: sshd ------------------------- Number of members added 1 ------------------------- [root@rhel7-1 ~]# ipa group-show ad2_adgroup1 Group name: ad2_adgroup1 Description: ad2 adgroup1 posix group GID: 114000006 Member groups: ad2_adgroup1_external Member of Sudo rule: testrule Member of HBAC rule: testrule [root@rhel7-1 ~]# ipa group-show --all ad2_adgroup1_external dn: cn=ad2_adgroup1_external,cn=groups,cn=accounts,dc=ipa1,dc=example,dc=test Group name: ad2_adgroup1_external Description: ad2 adgroup1 external group Member of groups: ad2_adgroup1 Indirect Member of Sudo rule: testrule Indirect Member of HBAC rule: testrule External member: S-1-5-21-1515602834-2930230041-3336973146-1131 ipauniqueid: b6b1aec2-7945-11e3-a5ac-0000c0a87a47 objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, ipaexternalgroup [root@rhel7-1 ~]# wbinfo -s S-1-5-21-1515602834-2930230041-3336973146-1131 AD2\adgroup1 2 [root@rhel7-1 ~]# id 'AD2\Aduser1' uid=551801125(aduser1.test) gid=551801125(aduser1.test) groups=551801125(aduser1.test),551800513(domain users.test),551801131(adgroup1.test),114000006(ad2_adgroup1) [root@rhel7-1 ~]# ipa hbactest --user 'AD2\aduser1' --host $(hostname) --service sshd -------------------- Access granted: True -------------------- Matched rules: allow_all Not matched rules: testrule Thanks Scott, good catch. I investigated the issue and found out that this is a regression introduced in a FreeIPA 3.3 ticket: https://fedorahosted.org/freeipa/ticket/3803 I prepared a patch fixing the issue and submitted upstream. Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/faa820f39e2f632d5333ea6124c9cb190e69f728 ipa-3-3: https://fedorahosted.org/freeipa/changeset/fdce36ccc13f68e4019064c69ef4f5adf61ef681 Verified. Version :: ipa-server-3.3.3-11.el7.x86_64 Test Results :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa_trust_func_bug_848531: hbactest does not work with trusted users :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'kdestroy -A' (Expected 0, got 0) :: [ 10:18:59 ] :: Create group for testing bug ------------------------------- Added group "bz848531_external" ------------------------------- Group name: bz848531_external Description: 0 :: [ PASS ] :: Running 'ipa group-add --desc=0 bz848531_external --external' (Expected 0, got 0) ---------------------- Added group "bz848531" ---------------------- Group name: bz848531 Description: 0 GID: 1150600009 :: [ PASS ] :: Running 'ipa group-add --desc=0 bz848531' (Expected 0, got 0) Group name: bz848531 Description: 0 GID: 1150600009 Member groups: bz848531_external ------------------------- Number of members added 1 ------------------------- :: [ PASS ] :: Running 'ipa group-add-member bz848531 --groups=bz848531_external' (Expected 0, got 0) Group name: bz848531_external Description: 0 External member: S-1-5-21-1515602834-2930230041-3336973146-1131 Member of groups: bz848531 ------------------------- Number of members added 1 ------------------------- :: [ PASS ] :: Running 'ipa group-add-member bz848531_external --external='AD2.EXAMPLE.TEST\adgroup1' --users='' --groups=''' (Expected 0, got 0) :: [ 10:19:06 ] :: Create HBAC rule -------------------------- Added HBAC rule "bz848531" -------------------------- Rule name: bz848531 Enabled: TRUE :: [ PASS ] :: Running 'ipa hbacrule-add bz848531' (Expected 0, got 0) Rule name: bz848531 Enabled: TRUE Hosts: rhel7-1.ipa1.example.test ------------------------- Number of members added 1 ------------------------- :: [ PASS ] :: Running 'ipa hbacrule-add-host bz848531 --hosts=rhel7-1.ipa1.example.test' (Expected 0, got 0) Rule name: bz848531 Enabled: TRUE Hosts: rhel7-1.ipa1.example.test Services: sshd ------------------------- Number of members added 1 ------------------------- :: [ PASS ] :: Running 'ipa hbacrule-add-service bz848531 --hbacsvcs=sshd' (Expected 0, got 0) Rule name: bz848531 Enabled: TRUE User Groups: bz848531 Hosts: rhel7-1.ipa1.example.test Services: sshd ------------------------- Number of members added 1 ------------------------- :: [ PASS ] :: Running 'ipa hbacrule-add-user bz848531 --groups=bz848531' (Expected 0, got 0) :: [ 10:19:11 ] :: Test hbactest :: [ PASS ] :: Running 'ipa hbactest --host=rhel7-1.ipa1.example.test --service=sshd --user='AD2\aduser1' > /tmp/tmpout.ipa_trust_func_bug_848531 2>&1' (Expected 0, got 0) :: [ PASS ] :: File '/tmp/tmpout.ipa_trust_func_bug_848531' should contain 'Matched rules: bz848531' :: [ PASS ] :: BZ848531 not found :: [ 10:19:13 ] :: Cleanup groups and hbacrule ---------------------------- Deleted HBAC rule "bz848531" ---------------------------- :: [ PASS ] :: Running 'ipa hbacrule-del bz848531' (Expected 0, got 0) ------------------------ Deleted group "bz848531" ------------------------ :: [ PASS ] :: Running 'ipa group-del bz848531' (Expected 0, got 0) --------------------------------- Deleted group "bz848531_external" --------------------------------- :: [ PASS ] :: Running 'ipa group-del bz848531_external' (Expected 0, got 0) This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |