[Freeipa-users] Sanity check on hbac rule on "foreign" domains.

Sumit Bose sbose at redhat.com
Mon Aug 5 09:23:39 UTC 2013 

On Fri, Aug 02, 2013 at 12:55:12PM -0500, KodaK wrote:
> First, before we go any further:  is it supported to use
> sssd when the client machines domain differs from
> the realm name?  If not, then the rest of this is moot.
> 
> Client box is a RHEL 5.something.  I didn't do "ipa-client-install"
> because I wanted to configure by hand as a test.  The client
> box has a DNS name of stlmoracsbx01.domain.com, and the
> realm is UNIX.DOMAIN.COM
> 
> I've configured the box with sssd, and I can log in with my personal
> credentials because I have a wide-open rule for admins.
> 
> I've created a simple rule for a test user, and it's not working.
> 
> [xxx at slpidml01 ~]$ ipa hbacrule-show stlmoracsbx01-access
>   Rule name: stlmoracsbx01-access
>   Source host category: all
>   Service category: all
>   Enabled: TRUE
>   Users: testuser
>   Hosts: stlmoracsbx01.domain.com
> 
> However:
> 
> [xxx at slpidml01 ~]$ ipa hbactest --user=testuser
> --host=stlmoracsbx01.domain.com --service=sshd
> ---------------------
> Access granted: False
> ---------------------
> 
> And my access:
> 
> [xxx at slpidml01 ~]$ ipa hbactest --user=xxx
> --host=stlmoracsbx01.domain.com --service=sshd
> --------------------
> Access granted: True
> --------------------
>   Matched rules: admin access
> 
> I also tried opening that host up to everyone:
> 
> [jebalicki at slpidml01 ~]$ ipa hbacrule-show stlmoracsbx01-access
> 
>   Rule name: stlmoracsbx01-access
>   User category: all
>   Source host category: all
>   Service category: all
>   Enabled: TRUE
>   Hosts: stlmoracsbx01.domain.com
> 
> But the rule fails.
> 
> I thought maybe there might be something with the user "testuser", so
> I tried another
> user and I still get a failure.
> 
> Any ideas would be appreciated.

First I think this is not a general issue. I did a quick test which
worked as expected:

[root at ipa18-devel ~]# ipa hbacrule-show abc-test
  Rule name: abc-test
  User category: all
  Service category: all
  Enabled: TRUE
  Hosts: abc.def
[root at ipa18-devel ~]# ipa hbactest --user=qgwe --host=abc.def
--service=wced
--------------------
Access granted: True
--------------------
  Matched rules: abc-test
[root at ipa18-devel ~]# ipa hbactest --user=qgwe --host=abc.defx
--service=wced
---------------------
Access granted: False
---------------------
  Not matched rules: abc-test

Which version of FreeIPA are you using on the server? Maybe the sssd
logs at a high debug level will give more details why the access is
denied you you try to log in with ssh as testuser on
stlmoracsbx01.domain.com.

bye,
Sumit

> 
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list