https://bugzilla.redhat.com/show_bug.cgi?id=1673005 Bug ID: 1673005 Summary: Applying hbac rules according to guide doesn't return expected results Product: Fedora Documentation Version: devel OS: Linux Status: NEW Component: freeipa-guide Severity: medium Assignee: pbokoc(a)redhat.com Reporter: mpolovka(a)redhat.com QA Contact: docs-qa(a)lists.fedoraproject.org CC: mkosek(a)redhat.com Target Milestone: --- Classification: Fedora Description of problem: I followed freeipa-guide closely up to unit 4 - hbac rules. After I created "sysadmin_webservers" using provided instructions (copy-pasted to be sure) I wanted to test, whether it works. However, despite Alice being in "sysadmin" group and all rules are set according to the guide, access to client servers for alice is denied (see Additional info) Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1.Follow the freeIPA-guide till Unit 4 2.Disable allow_all hbac rule 3. Follow the steps in Unit 4 Actual results: [server]$ ipa hbactest --host client.ipademo.local --service sshd --user alice --------------------- Access granted: False --------------------- Not matched rules: sysadmin_webservers [server]$ kinit alice Password for alice(a)IPADEMO.LOCAL: [server]$ ssh alice(a)client.ipademo.local Connection closed by UNKNOWN port 65535 Expected results: [server]$ ipa hbactest --host client.ipademo.local --service sshd --user alice --------------------- Access granted: True --------------------- [server]$ kinit alice Password for alice(a)IPADEMO.LOCAL: [server]$ ssh alice(a)client.ipademo.local Creating home directory for alice. [alice@client]$ Additional info: [server]$ ipa user-show alice User login: alice First name: Alice Last name: von der Wunderland Home directory: /home/alice Login shell: /bin/sh Principal name: alice(a)IPADEMO.LOCAL Principal alias: alice(a)IPADEMO.LOCAL Email address: alice(a)ipademo.local UID: 55400001 GID: 55400001 Job Title: Recreationist Class: Superior Account disabled: False Password: True Member of groups: sysadmin, ipausers Indirect Member of HBAC rule: sysadmin_webservers Kerberos keys available: True [server]$ ipa hbacrule-find ------------------- 1 HBAC rule matched ------------------- Rule name: sysadmin_webservers Service category: all Enabled: TRUE ---------------------------- Number of entries returned 1 ---------------------------- [server]$ ipa hbacrule-show sysadmin_webservers Rule name: sysadmin_webservers Service category: all Enabled: TRUE User Groups: sysadmin Host Groups: webservers -- You are receiving this mail because: You are the QA Contact for the bug.