Re: [Freeipa-users] HBAC rules not working
Hi, Can I get confirmation this is fixed when 6.2 goes GA please? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Monday, 28 November 2011 8:11 a.m. To: Jakub Hrozek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working Hi, sssd is 1.5.1.52, but its what ships in RHEL6.2beta. I assume I have to wait 2 weeks for 6.2 GA? Megga annoying if soI have a $1.5million bluearc toy :D arriving this week to connect to it... :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Jakub Hrozek [jhro...@redhat.com] Sent: Friday, 25 November 2011 5:37 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working On Thu, Nov 24, 2011 at 01:41:30AM +, Steven Jones wrote: > When I add a host to the hbac rule and not a host group I can login > > Something is wrong with the host group(s).damned if I can see what. > > regards > > Steven Jones > Which SSSD version is that? There was a bug (#741751) in the HBAC host group processing that got fixed in sssd-1.5.1-53 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC rules not working
Hi, sssd is 1.5.1.52, but its what ships in RHEL6.2beta. I assume I have to wait 2 weeks for 6.2 GA? Megga annoying if soI have a $1.5million bluearc toy :D arriving this week to connect to it... :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Jakub Hrozek [jhro...@redhat.com] Sent: Friday, 25 November 2011 5:37 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working On Thu, Nov 24, 2011 at 01:41:30AM +, Steven Jones wrote: > When I add a host to the hbac rule and not a host group I can login > > Something is wrong with the host group(s).damned if I can see what. > > regards > > Steven Jones > Which SSSD version is that? There was a bug (#741751) in the HBAC host group processing that got fixed in sssd-1.5.1-53 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC rules not working
On Thu, Nov 24, 2011 at 01:41:30AM +, Steven Jones wrote: > When I add a host to the hbac rule and not a host group I can login > > Something is wrong with the host group(s).damned if I can see what. > > regards > > Steven Jones > Which SSSD version is that? There was a bug (#741751) in the HBAC host group processing that got fixed in sssd-1.5.1-53 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC rules not working
Hi, I have created a brand new workstation, brand new user group and brand new host group.when I go to create a HBAC rule the user group fails to appear.. So it looks like the ipa setup is broken.terminally.? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 25 November 2011 9:21 a.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I went debug_level 3 I am getting access denied by hbac rules Screenshot from the log incl. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 24 November 2011 6:42 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working Steven Jones wrote: > When I add a host to the hbac rule and not a host group I can login > > Something is wrong with the host group(s).damned if I can see what. I'd bump up debugging in sssd (sssd.conf (5)) on the server you're logging into. It should tell you the evaluation it is making and why it is failing. You'll need to restart sssd after adding debug_level. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC rules not working
Hi, Yes I got there already, but thanks I made a new rule and per host works fine, not if I try and use a host group via CLI, so its not the gui I think..I can see one difference I'm testing that theory now. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: JR Aquino [jr.aqu...@citrix.com] Sent: Thursday, 24 November 2011 4:02 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working On Nov 23, 2011, at 5:41 PM, Steven Jones wrote: > Hi, > > Even a reboot doesnt fix the ghost host group issue... > > Can it be dont via the cli? ipa hbacrule-add-host --hostgroups=hostgroup_name hbacrule_name Also you may be running into a problem with source hosts... You do need to specify from which hosts you are allowing ssh if I recall correctly. Assuming that you want to permit _from_ any source host: ipa hbacrule-mod --srchostcat=all hbacrule_name ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC rules not working
Steven Jones wrote: When I add a host to the hbac rule and not a host group I can login Something is wrong with the host group(s).damned if I can see what. I'd bump up debugging in sssd (sssd.conf (5)) on the server you're logging into. It should tell you the evaluation it is making and why it is failing. You'll need to restart sssd after adding debug_level. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC rules not working
On Nov 23, 2011, at 5:41 PM, Steven Jones wrote: > Hi, > > Even a reboot doesnt fix the ghost host group issue... > > Can it be dont via the cli? ipa hbacrule-add-host --hostgroups=hostgroup_name hbacrule_name Also you may be running into a problem with source hosts... You do need to specify from which hosts you are allowing ssh if I recall correctly. Assuming that you want to permit _from_ any source host: ipa hbacrule-mod --srchostcat=all hbacrule_name ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC rules not working
When I add a host to the hbac rule and not a host group I can login Something is wrong with the host group(s).damned if I can see what. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 2:38 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working When I go to a different existing HBAC rule and add the host group I can login. confused.cant see what Im doing wrong regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 2:35 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working When I go to the host group and pick the group I want, then go to the HBAC tab the hbac rule I have written doesnt appear as an enrol choice, but other rules do. This is just wierd regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 2:27 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working Redoing the user groups and host groups yet again with new names makes no difference Redoing this and Im suspicious that the gui might show the hosts group exists in the hosts group tab but it may not be in the LDAP backendcertainly in the HBAC window the host group fails to appearand I cant login. :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 2:08 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working Hi, Even a reboot doesnt fix the ghost host group issue... Can it be dont via the cli? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 2:02 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have deleted the hosts and re-added.made a new hosts group. However when I try to make a new HBAC rule for the new hosts group, the hosts group is not in the list of available host groups to allow me to pick it. :/ It is under the host group tabsbut its invisible elsewhere.currently I am rebooting the IPA server to see if that fixes the log jam. :/ Kind of worried that I seem to be having rather simple terminal problems when its 2 weeks from release regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 1:06 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have traced this to the host groups in the HBAC rule... All my HBAC rules do not work unless I specify any "to" host, I cannot specify a host group at all. If I enable the allow_all rule but add to host group to it then that no longer works. So Im stuck :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 12:23 p.m. To: Alexander Bokovoy; freeipa-de...@redhat.com; freeipa-users@redhat.com Subject: [Freeipa-users] HBAC rules not working Hi, I have disabled the allow_all rule I have created a group and added a user, I have enrolled a client and added it to a host groupI have done a HBAC rule between the two groups to allow all services, that user group to that host group from anywhere, but I cannot login If I enable the allow_all HBAC I can So how do I fault find why I cant login? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064
Re: [Freeipa-users] HBAC rules not working
When I go to a different existing HBAC rule and add the host group I can login. confused.cant see what Im doing wrong regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 2:35 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working When I go to the host group and pick the group I want, then go to the HBAC tab the hbac rule I have written doesnt appear as an enrol choice, but other rules do. This is just wierd regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 2:27 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working Redoing the user groups and host groups yet again with new names makes no difference Redoing this and Im suspicious that the gui might show the hosts group exists in the hosts group tab but it may not be in the LDAP backendcertainly in the HBAC window the host group fails to appearand I cant login. :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 2:08 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working Hi, Even a reboot doesnt fix the ghost host group issue... Can it be dont via the cli? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 2:02 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have deleted the hosts and re-added.made a new hosts group. However when I try to make a new HBAC rule for the new hosts group, the hosts group is not in the list of available host groups to allow me to pick it. :/ It is under the host group tabsbut its invisible elsewhere.currently I am rebooting the IPA server to see if that fixes the log jam. :/ Kind of worried that I seem to be having rather simple terminal problems when its 2 weeks from release regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 1:06 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have traced this to the host groups in the HBAC rule... All my HBAC rules do not work unless I specify any "to" host, I cannot specify a host group at all. If I enable the allow_all rule but add to host group to it then that no longer works. So Im stuck :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 12:23 p.m. To: Alexander Bokovoy; freeipa-de...@redhat.com; freeipa-users@redhat.com Subject: [Freeipa-users] HBAC rules not working Hi, I have disabled the allow_all rule I have created a group and added a user, I have enrolled a client and added it to a host groupI have done a HBAC rule between the two groups to allow all services, that user group to that host group from anywhere, but I cannot login If I enable the allow_all HBAC I can So how do I fault find why I cant login? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing li
Re: [Freeipa-users] HBAC rules not working
When I go to the host group and pick the group I want, then go to the HBAC tab the hbac rule I have written doesnt appear as an enrol choice, but other rules do. This is just wierd regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 2:27 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working Redoing the user groups and host groups yet again with new names makes no difference Redoing this and Im suspicious that the gui might show the hosts group exists in the hosts group tab but it may not be in the LDAP backendcertainly in the HBAC window the host group fails to appearand I cant login. :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 2:08 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working Hi, Even a reboot doesnt fix the ghost host group issue... Can it be dont via the cli? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 2:02 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have deleted the hosts and re-added.made a new hosts group. However when I try to make a new HBAC rule for the new hosts group, the hosts group is not in the list of available host groups to allow me to pick it. :/ It is under the host group tabsbut its invisible elsewhere.currently I am rebooting the IPA server to see if that fixes the log jam. :/ Kind of worried that I seem to be having rather simple terminal problems when its 2 weeks from release regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 1:06 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have traced this to the host groups in the HBAC rule... All my HBAC rules do not work unless I specify any "to" host, I cannot specify a host group at all. If I enable the allow_all rule but add to host group to it then that no longer works. So Im stuck :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 12:23 p.m. To: Alexander Bokovoy; freeipa-de...@redhat.com; freeipa-users@redhat.com Subject: [Freeipa-users] HBAC rules not working Hi, I have disabled the allow_all rule I have created a group and added a user, I have enrolled a client and added it to a host groupI have done a HBAC rule between the two groups to allow all services, that user group to that host group from anywhere, but I cannot login If I enable the allow_all HBAC I can So how do I fault find why I cant login? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC rules not working
Redoing the user groups and host groups yet again with new names makes no difference Redoing this and Im suspicious that the gui might show the hosts group exists in the hosts group tab but it may not be in the LDAP backendcertainly in the HBAC window the host group fails to appearand I cant login. :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 2:08 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working Hi, Even a reboot doesnt fix the ghost host group issue... Can it be dont via the cli? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 2:02 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have deleted the hosts and re-added.made a new hosts group. However when I try to make a new HBAC rule for the new hosts group, the hosts group is not in the list of available host groups to allow me to pick it. :/ It is under the host group tabsbut its invisible elsewhere.currently I am rebooting the IPA server to see if that fixes the log jam. :/ Kind of worried that I seem to be having rather simple terminal problems when its 2 weeks from release regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 1:06 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have traced this to the host groups in the HBAC rule... All my HBAC rules do not work unless I specify any "to" host, I cannot specify a host group at all. If I enable the allow_all rule but add to host group to it then that no longer works. So Im stuck :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 12:23 p.m. To: Alexander Bokovoy; freeipa-de...@redhat.com; freeipa-users@redhat.com Subject: [Freeipa-users] HBAC rules not working Hi, I have disabled the allow_all rule I have created a group and added a user, I have enrolled a client and added it to a host groupI have done a HBAC rule between the two groups to allow all services, that user group to that host group from anywhere, but I cannot login If I enable the allow_all HBAC I can So how do I fault find why I cant login? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC rules not working
Hi, Even a reboot doesnt fix the ghost host group issue... Can it be dont via the cli? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 2:02 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have deleted the hosts and re-added.made a new hosts group. However when I try to make a new HBAC rule for the new hosts group, the hosts group is not in the list of available host groups to allow me to pick it. :/ It is under the host group tabsbut its invisible elsewhere.currently I am rebooting the IPA server to see if that fixes the log jam. :/ Kind of worried that I seem to be having rather simple terminal problems when its 2 weeks from release regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 1:06 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have traced this to the host groups in the HBAC rule... All my HBAC rules do not work unless I specify any "to" host, I cannot specify a host group at all. If I enable the allow_all rule but add to host group to it then that no longer works. So Im stuck :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 12:23 p.m. To: Alexander Bokovoy; freeipa-de...@redhat.com; freeipa-users@redhat.com Subject: [Freeipa-users] HBAC rules not working Hi, I have disabled the allow_all rule I have created a group and added a user, I have enrolled a client and added it to a host groupI have done a HBAC rule between the two groups to allow all services, that user group to that host group from anywhere, but I cannot login If I enable the allow_all HBAC I can So how do I fault find why I cant login? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC rules not working
I have deleted the hosts and re-added.made a new hosts group. However when I try to make a new HBAC rule for the new hosts group, the hosts group is not in the list of available host groups to allow me to pick it. :/ It is under the host group tabsbut its invisible elsewhere.currently I am rebooting the IPA server to see if that fixes the log jam. :/ Kind of worried that I seem to be having rather simple terminal problems when its 2 weeks from release regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 1:06 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I have traced this to the host groups in the HBAC rule... All my HBAC rules do not work unless I specify any "to" host, I cannot specify a host group at all. If I enable the allow_all rule but add to host group to it then that no longer works. So Im stuck :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 12:23 p.m. To: Alexander Bokovoy; freeipa-de...@redhat.com; freeipa-users@redhat.com Subject: [Freeipa-users] HBAC rules not working Hi, I have disabled the allow_all rule I have created a group and added a user, I have enrolled a client and added it to a host groupI have done a HBAC rule between the two groups to allow all services, that user group to that host group from anywhere, but I cannot login If I enable the allow_all HBAC I can So how do I fault find why I cant login? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC rules not working
I have traced this to the host groups in the HBAC rule... All my HBAC rules do not work unless I specify any "to" host, I cannot specify a host group at all. If I enable the allow_all rule but add to host group to it then that no longer works. So Im stuck :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 24 November 2011 12:23 p.m. To: Alexander Bokovoy; freeipa-de...@redhat.com; freeipa-users@redhat.com Subject: [Freeipa-users] HBAC rules not working Hi, I have disabled the allow_all rule I have created a group and added a user, I have enrolled a client and added it to a host groupI have done a HBAC rule between the two groups to allow all services, that user group to that host group from anywhere, but I cannot login If I enable the allow_all HBAC I can So how do I fault find why I cant login? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users