[Freeipa-users] HBAC Test - web vs command line - returns different results
Michael Mercier
mmercier at gmail.com
Mon Sep 17 13:47:15 UTC 2012
On 2012-09-08, at 11:08 AM, Dmitri Pal wrote:
> On 08/31/2012 09:33 AM, Michael Mercier wrote:
>> Hello,
>>
>> I seem to be having a problem with the HBAC test:
>>
>> Versions:
>> [root at ipaserver ipatest]# rpm -qa|grep ^ipa
>> ipa-server-2.2.0-16.el6.x86_64
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> ipa-python-2.2.0-16.el6.x86_64
>> ipa-admintools-2.2.0-16.el6.x86_64
>> ipa-server-selinux-2.2.0-16.el6.x86_64
>> ipa-client-2.2.0-16.el6.x86_64
>>
>>
>> On the web console:
>>
>> Browse to HBAC TEST
>>
>> Who: mike
>> Accessing: pix.beta.local
>> Via service: tac_plus
>> From: ipaclient.beta.local (correct me if I am wrong, but I don't believe this has any effect)
>> Rules: tacacs
>>
>> Run Test -> Access Granted with matched rules showing tacacs
>>
>> On the command line:
>>
>> ipa hbactest
>> User name: mike
>> Target Host: pix.beta.local
>> Service: tac_plus
>> ---------------------
>> Access granted: False
>> ---------------------
>> Not matched rules: tacacs
>>
>> tacacs rule:
>> General: Enabled
>> Who: user group: ciscoadmin -> mike is a member
>> accessing: cisco-devices -> pix.beta.local is a member
>> Via Service: tac_plus
>> From: any host
>>
>> NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is still present)
>>
>> Any ideas?
>>
>> Thanks,
>> Mike
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
> I do not know whether this issue was resolved. Hope it was on the IRC or
> in some other way.
>
> The problem above is related to the "from host" I believe.
> Please do not use the "from host". The whole concept is a bit broken and
> not reliable.
I don't seem to be able to *not* select a 'from host' with the web console, I get:
Input form contains invalid of missing values.
Missing values:
Source host.
Thanks,
Mike
More information about the Freeipa-users
mailing list