Re: [Freeipa-users] Sanity check on hbac rule on foreign domains.

[KodaK]

On Mon, Aug 5, 2013 at 4:23 AM, Sumit Bose sb...@redhat.com wrote:
 Which version of FreeIPA are you using on the server? Maybe the sssd
 logs at a high debug level will give more details why the access is
 denied you you try to log in with ssh as testuser on
 stlmoracsbx01.domain.com.

Something must have been cached, somewhere.
(Even though I cleared every cache I could think of.)

I haven't had time until now; I just tried again and allowed users
work and disallowed users don't.

I have no idea.

Thanks,

--Jason

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sanity check on hbac rule on foreign domains.

[Sumit Bose]

On Fri, Aug 02, 2013 at 12:55:12PM -0500, KodaK wrote:
 First, before we go any further:  is it supported to use
 sssd when the client machines domain differs from
 the realm name?  If not, then the rest of this is moot.
 
 Client box is a RHEL 5.something.  I didn't do ipa-client-install
 because I wanted to configure by hand as a test.  The client
 box has a DNS name of stlmoracsbx01.domain.com, and the
 realm is UNIX.DOMAIN.COM
 
 I've configured the box with sssd, and I can log in with my personal
 credentials because I have a wide-open rule for admins.
 
 I've created a simple rule for a test user, and it's not working.
 
 [xxx@slpidml01 ~]$ ipa hbacrule-show stlmoracsbx01-access
   Rule name: stlmoracsbx01-access
   Source host category: all
   Service category: all
   Enabled: TRUE
   Users: testuser
   Hosts: stlmoracsbx01.domain.com
 
 However:
 
 [xxx@slpidml01 ~]$ ipa hbactest --user=testuser
 --host=stlmoracsbx01.domain.com --service=sshd
 -
 Access granted: False
 -
 
 And my access:
 
 [xxx@slpidml01 ~]$ ipa hbactest --user=xxx
 --host=stlmoracsbx01.domain.com --service=sshd
 
 Access granted: True
 
   Matched rules: admin access
 
 I also tried opening that host up to everyone:
 
 [jebalicki@slpidml01 ~]$ ipa hbacrule-show stlmoracsbx01-access
 
   Rule name: stlmoracsbx01-access
   User category: all
   Source host category: all
   Service category: all
   Enabled: TRUE
   Hosts: stlmoracsbx01.domain.com
 
 But the rule fails.
 
 I thought maybe there might be something with the user testuser, so
 I tried another
 user and I still get a failure.
 
 Any ideas would be appreciated.

First I think this is not a general issue. I did a quick test which
worked as expected:

[root@ipa18-devel ~]# ipa hbacrule-show abc-test
  Rule name: abc-test
  User category: all
  Service category: all
  Enabled: TRUE
  Hosts: abc.def
[root@ipa18-devel ~]# ipa hbactest --user=qgwe --host=abc.def
--service=wced

Access granted: True

  Matched rules: abc-test
[root@ipa18-devel ~]# ipa hbactest --user=qgwe --host=abc.defx
--service=wced
-
Access granted: False
-
  Not matched rules: abc-test

Which version of FreeIPA are you using on the server? Maybe the sssd
logs at a high debug level will give more details why the access is
denied you you try to log in with ssh as testuser on
stlmoracsbx01.domain.com.

bye,
Sumit

 
 -- 
 The government is going to read our mail anyway, might as well make it
 tough for them.  GPG Public key ID:  B6A1A7C6
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Sanity check on hbac rule on foreign domains.

[KodaK]

First, before we go any further:  is it supported to use
sssd when the client machines domain differs from
the realm name?  If not, then the rest of this is moot.

Client box is a RHEL 5.something.  I didn't do ipa-client-install
because I wanted to configure by hand as a test.  The client
box has a DNS name of stlmoracsbx01.domain.com, and the
realm is UNIX.DOMAIN.COM

I've configured the box with sssd, and I can log in with my personal
credentials because I have a wide-open rule for admins.

I've created a simple rule for a test user, and it's not working.

[xxx@slpidml01 ~]$ ipa hbacrule-show stlmoracsbx01-access
  Rule name: stlmoracsbx01-access
  Source host category: all
  Service category: all
  Enabled: TRUE
  Users: testuser
  Hosts: stlmoracsbx01.domain.com

However:

[xxx@slpidml01 ~]$ ipa hbactest --user=testuser
--host=stlmoracsbx01.domain.com --service=sshd
-
Access granted: False
-

And my access:

[xxx@slpidml01 ~]$ ipa hbactest --user=xxx
--host=stlmoracsbx01.domain.com --service=sshd

Access granted: True

  Matched rules: admin access

I also tried opening that host up to everyone:

[jebalicki@slpidml01 ~]$ ipa hbacrule-show stlmoracsbx01-access

  Rule name: stlmoracsbx01-access
  User category: all
  Source host category: all
  Service category: all
  Enabled: TRUE
  Hosts: stlmoracsbx01.domain.com

But the rule fails.

I thought maybe there might be something with the user testuser, so
I tried another
user and I still get a failure.

Any ideas would be appreciated.

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users