On 08/31/2012 09:33 AM, Michael Mercier wrote: > Hello, > > I seem to be having a problem with the HBAC test: > > Versions: > [root@ipaserver ipatest]# rpm -qa|grep ^ipa > ipa-server-2.2.0-16.el6.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > ipa-pki-ca-theme-9.0.3-7.el6.noarch > ipa-python-2.2.0-16.el6.x86_64 > ipa-admintools-2.2.0-16.el6.x86_64 > ipa-server-selinux-2.2.0-16.el6.x86_64 > ipa-client-2.2.0-16.el6.x86_64 > > > On the web console: > > Browse to HBAC TEST > > Who: mike > Accessing: pix.beta.local > Via service: tac_plus > From: ipaclient.beta.local (correct me if I am wrong, but I don't believe > this has any effect) > Rules: tacacs > > Run Test -> Access Granted with matched rules showing tacacs > > On the command line: > > ipa hbactest > User name: mike > Target Host: pix.beta.local > Service: tac_plus > --------------------- > Access granted: False > --------------------- > Not matched rules: tacacs > > tacacs rule: > General: Enabled > Who: user group: ciscoadmin -> mike is a member > accessing: cisco-devices -> pix.beta.local is a member > Via Service: tac_plus > From: any host > > NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is > still present) > > Any ideas? > > Thanks, > Mike > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > I do not know whether this issue was resolved. Hope it was on the IRC or in some other way.
The problem above is related to the "from host" I believe. Please do not use the "from host". The whole concept is a bit broken and not reliable. Please let me know if you need more details or you already found this info from mail archives and docs. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users