[Freeipa-users] Sanity check on hbac rule on "foreign" domains.
KodaK
sakodak at gmail.com
Fri Aug 2 17:55:12 UTC 2013
First, before we go any further: is it supported to use
sssd when the client machines domain differs from
the realm name? If not, then the rest of this is moot.
Client box is a RHEL 5.something. I didn't do "ipa-client-install"
because I wanted to configure by hand as a test. The client
box has a DNS name of stlmoracsbx01.domain.com, and the
realm is UNIX.DOMAIN.COM
I've configured the box with sssd, and I can log in with my personal
credentials because I have a wide-open rule for admins.
I've created a simple rule for a test user, and it's not working.
[xxx at slpidml01 ~]$ ipa hbacrule-show stlmoracsbx01-access
Rule name: stlmoracsbx01-access
Source host category: all
Service category: all
Enabled: TRUE
Users: testuser
Hosts: stlmoracsbx01.domain.com
However:
[xxx at slpidml01 ~]$ ipa hbactest --user=testuser
--host=stlmoracsbx01.domain.com --service=sshd
---------------------
Access granted: False
---------------------
And my access:
[xxx at slpidml01 ~]$ ipa hbactest --user=xxx
--host=stlmoracsbx01.domain.com --service=sshd
--------------------
Access granted: True
--------------------
Matched rules: admin access
I also tried opening that host up to everyone:
[jebalicki at slpidml01 ~]$ ipa hbacrule-show stlmoracsbx01-access
Rule name: stlmoracsbx01-access
User category: all
Source host category: all
Service category: all
Enabled: TRUE
Hosts: stlmoracsbx01.domain.com
But the rule fails.
I thought maybe there might be something with the user "testuser", so
I tried another
user and I still get a failure.
Any ideas would be appreciated.
--
The government is going to read our mail anyway, might as well make it
tough for them. GPG Public key ID: B6A1A7C6
More information about the Freeipa-users
mailing list