Check that FreeIPA's HBAC rules are respected after using realmd to join the current machine to a FreeIPA domain.
- Run through the test case to join the domain.
How to test
- The intent here is to set up an HBAC rule which specifies that all access is prohibited, unless it is initiated by a specific user ("testuser")
- Create a FreeIPA user (after acquiring admin credentials)
$ kinit admin
$ ipa user-add testuser --first test --last user --password
- Create an HBAC rule that allows access to the user you just created
$ ipa hbacrule-add testrule --servicecat=all --hostcat=all
$ ipa hbacrule-add-user testrule --users=testuser
- Disable the default rule that allows access to everyone
$ ipa hbacrule-disable allow_all
- Make sure that admin is not able to ssh into the IPA server (per the HBAC rule)
$ ssh email@example.com
- Make sure that testuser is able to ssh into the IPA server (per the HBAC rule)
$ ssh firstname.lastname@example.org
Clean-up after the test
Enable the allow_all rule again to avoid interference with other Test cases:
$ ipa hbacrule-enable allow_all
The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see.
Known Issue [Selinux]: You need to turn off selinux to complete the join. Please do:
$ sudo setenforce 0
Please file all realmd AVC's at this bug: https://bugzilla.redhat.com/show_bug.cgi?id=867873
$ sudo grep realmd /var/log/audit/audit.log