https://bugzilla.redhat.com/show_bug.cgi?id=1673005
Bug ID: 1673005
Summary: Applying hbac rules according to guide doesn't return
expected results
Product: Fedora Documentation
Version: devel
OS: Linux
Status: NEW
Component: freeipa-guide
Severity: medium
Assignee: pbokoc(a)redhat.com
Reporter: mpolovka(a)redhat.com
QA Contact: docs-qa(a)lists.fedoraproject.org
CC: mkosek(a)redhat.com
Target Milestone: ---
Classification: Fedora
Description of problem:
I followed freeipa-guide closely up to unit 4 - hbac rules.
After I created "sysadmin_webservers" using provided instructions (copy-pasted
to be sure) I wanted to test, whether it works.
However, despite Alice being in "sysadmin" group and all rules are set
according to the guide, access to client servers for alice is denied (see
Additional info)
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1.Follow the freeIPA-guide till Unit 4
2.Disable allow_all hbac rule
3. Follow the steps in Unit 4
Actual results:
[server]$ ipa hbactest --host client.ipademo.local --service sshd --user alice
---------------------
Access granted: False
---------------------
Not matched rules: sysadmin_webservers
[server]$ kinit alice
Password for alice(a)IPADEMO.LOCAL:
[server]$ ssh alice(a)client.ipademo.local
Connection closed by UNKNOWN port 65535
Expected results:
[server]$ ipa hbactest --host client.ipademo.local --service sshd --user alice
---------------------
Access granted: True
---------------------
[server]$ kinit alice
Password for alice(a)IPADEMO.LOCAL:
[server]$ ssh alice(a)client.ipademo.local
Creating home directory for alice.
[alice@client]$
Additional info:
[server]$ ipa user-show alice
User login: alice
First name: Alice
Last name: von der Wunderland
Home directory: /home/alice
Login shell: /bin/sh
Principal name: alice(a)IPADEMO.LOCAL
Principal alias: alice(a)IPADEMO.LOCAL
Email address: alice(a)ipademo.local
UID: 55400001
GID: 55400001
Job Title: Recreationist
Class: Superior
Account disabled: False
Password: True
Member of groups: sysadmin, ipausers
Indirect Member of HBAC rule: sysadmin_webservers
Kerberos keys available: True
[server]$ ipa hbacrule-find
-------------------
1 HBAC rule matched
-------------------
Rule name: sysadmin_webservers
Service category: all
Enabled: TRUE
----------------------------
Number of entries returned 1
----------------------------
[server]$ ipa hbacrule-show sysadmin_webservers
Rule name: sysadmin_webservers
Service category: all
Enabled: TRUE
User Groups: sysadmin
Host Groups: webservers
--
You are receiving this mail because:
You are the QA Contact for the bug.