[Freeipa-users] HBAC Test - web vs command line - returns different results

[Dmitri Pal]

On 08/31/2012 09:33 AM, Michael Mercier wrote:
> Hello,
>
> I seem to be having a problem with the HBAC test:
>
> Versions:
> [root at ipaserver ipatest]# rpm -qa|grep ^ipa
> ipa-server-2.2.0-16.el6.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> ipa-python-2.2.0-16.el6.x86_64
> ipa-admintools-2.2.0-16.el6.x86_64
> ipa-server-selinux-2.2.0-16.el6.x86_64
> ipa-client-2.2.0-16.el6.x86_64
>
>
> On the web console:
>
> Browse to HBAC TEST
>
> Who: mike
> Accessing: pix.beta.local
> Via service: tac_plus
> From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect)
> Rules: tacacs
>
> Run Test -> Access Granted with matched rules showing tacacs
>
> On the command line:
>
> ipa hbactest
> User name: mike
> Target Host: pix.beta.local
> Service: tac_plus
> ---------------------
> Access granted: False
> ---------------------
>   Not matched rules: tacacs
>
> tacacs rule:
> General: Enabled
> Who: user group: ciscoadmin -> mike is a member
> accessing: cisco-devices -> pix.beta.local is a member
> Via Service: tac_plus
> From: any host
>
> NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present)
>
> Any ideas?
>
> Thanks,
> Mike
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
I do not know whether this issue was resolved. Hope it was on the IRC or
in some other way.

The problem above is related to the "from host" I believe.
Please do not use the "from host". The whole concept is a bit broken and
not reliable.
Please let me know if you need more details or you already found this
info from mail archives and docs. 

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/