Re: [Freeipa-users] Sanity check on hbac rule on "foreign" domains.

2013-08-06 Thread KodaK 
On Mon, Aug 5, 2013 at 4:23 AM, Sumit Bose  wrote:
> Which version of FreeIPA are you using on the server? Maybe the sssd
> logs at a high debug level will give more details why the access is
> denied you you try to log in with ssh as testuser on
> stlmoracsbx01.domain.com.

Something must have been cached, somewhere.
(Even though I cleared every cache I could think of.)

I haven't had time until now; I just tried again and allowed users
work and disallowed users don't.

I have no idea.

Thanks,

--Jason

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Sanity check on hbac rule on "foreign" domains.

2013-08-05 Thread Sumit Bose 
On Fri, Aug 02, 2013 at 12:55:12PM -0500, KodaK wrote:
> First, before we go any further:  is it supported to use
> sssd when the client machines domain differs from
> the realm name?  If not, then the rest of this is moot.
> 
> Client box is a RHEL 5.something.  I didn't do "ipa-client-install"
> because I wanted to configure by hand as a test.  The client
> box has a DNS name of stlmoracsbx01.domain.com, and the
> realm is UNIX.DOMAIN.COM
> 
> I've configured the box with sssd, and I can log in with my personal
> credentials because I have a wide-open rule for admins.
> 
> I've created a simple rule for a test user, and it's not working.
> 
> [xxx@slpidml01 ~]$ ipa hbacrule-show stlmoracsbx01-access
>   Rule name: stlmoracsbx01-access
>   Source host category: all
>   Service category: all
>   Enabled: TRUE
>   Users: testuser
>   Hosts: stlmoracsbx01.domain.com
> 
> However:
> 
> [xxx@slpidml01 ~]$ ipa hbactest --user=testuser
> --host=stlmoracsbx01.domain.com --service=sshd
> -
> Access granted: False
> -
> 
> And my access:
> 
> [xxx@slpidml01 ~]$ ipa hbactest --user=xxx
> --host=stlmoracsbx01.domain.com --service=sshd
> 
> Access granted: True
> 
>   Matched rules: admin access
> 
> I also tried opening that host up to everyone:
> 
> [jebalicki@slpidml01 ~]$ ipa hbacrule-show stlmoracsbx01-access
> 
>   Rule name: stlmoracsbx01-access
>   User category: all
>   Source host category: all
>   Service category: all
>   Enabled: TRUE
>   Hosts: stlmoracsbx01.domain.com
> 
> But the rule fails.
> 
> I thought maybe there might be something with the user "testuser", so
> I tried another
> user and I still get a failure.
> 
> Any ideas would be appreciated.

First I think this is not a general issue. I did a quick test which
worked as expected:

[root@ipa18-devel ~]# ipa hbacrule-show abc-test
  Rule name: abc-test
  User category: all
  Service category: all
  Enabled: TRUE
  Hosts: abc.def
[root@ipa18-devel ~]# ipa hbactest --user=qgwe --host=abc.def
--service=wced

Access granted: True

  Matched rules: abc-test
[root@ipa18-devel ~]# ipa hbactest --user=qgwe --host=abc.defx
--service=wced
-
Access granted: False
-
  Not matched rules: abc-test

Which version of FreeIPA are you using on the server? Maybe the sssd
logs at a high debug level will give more details why the access is
denied you you try to log in with ssh as testuser on
stlmoracsbx01.domain.com.

bye,
Sumit

> 
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Sanity check on hbac rule on "foreign" domains.

2013-08-02 Thread KodaK 
First, before we go any further:  is it supported to use
sssd when the client machines domain differs from
the realm name?  If not, then the rest of this is moot.

Client box is a RHEL 5.something.  I didn't do "ipa-client-install"
because I wanted to configure by hand as a test.  The client
box has a DNS name of stlmoracsbx01.domain.com, and the
realm is UNIX.DOMAIN.COM

I've configured the box with sssd, and I can log in with my personal
credentials because I have a wide-open rule for admins.

I've created a simple rule for a test user, and it's not working.

[xxx@slpidml01 ~]$ ipa hbacrule-show stlmoracsbx01-access
  Rule name: stlmoracsbx01-access
  Source host category: all
  Service category: all
  Enabled: TRUE
  Users: testuser
  Hosts: stlmoracsbx01.domain.com

However:

[xxx@slpidml01 ~]$ ipa hbactest --user=testuser
--host=stlmoracsbx01.domain.com --service=sshd
-
Access granted: False
-

And my access:

[xxx@slpidml01 ~]$ ipa hbactest --user=xxx
--host=stlmoracsbx01.domain.com --service=sshd

Access granted: True

  Matched rules: admin access

I also tried opening that host up to everyone:

[jebalicki@slpidml01 ~]$ ipa hbacrule-show stlmoracsbx01-access

  Rule name: stlmoracsbx01-access
  User category: all
  Source host category: all
  Service category: all
  Enabled: TRUE
  Hosts: stlmoracsbx01.domain.com

But the rule fails.

I thought maybe there might be something with the user "testuser", so
I tried another
user and I still get a failure.

Any ideas would be appreciated.

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users