Check that FreeIPA's HBAC rules are respected after using realmd to join the current machine to a FreeIPA domain.
- If you haven't already, run through the test case to join the domain.
How to test
- The intent here is to set up an HBAC rule which specifies that all access is prohibited, unless it is initiated by a specific user ("testuser")
- Make sure you have freeipa-admintools installed
# yum install freeipa-admintools
- Create a FreeIPA user (after acquiring admin credentials)
$ kinit admin
$ ipa user-add testuser --first test --last user --password
- Create an HBAC rule that allows access to the user you just created
$ ipa hbacrule-add testrule --servicecat=all --hostcat=all
$ ipa hbacrule-add-user testrule --users=testuser
- Disable the default rule that allows access to everyone
$ ipa hbacrule-disable allow_all
- On the system that joined the domain, change the testuser password for the first time.
$ kinit testuser@IPA.EXAMPLE.ORG
- You will be prompted to enter a new password here
- Before the login, make sure that credential caching is enabled on the client
/etc/sssd/sssd.confin your editor of choice
- Make sure that
cache_credentials=Trueis present in the
[domain]section of sssd.conf
- Restart the SSSD if you modified the config file:
service sssd restart
- On the system that joined the domain, switch to another VT (press
- Log in as the admin should fail.
host login: firstname.lastname@example.org
- You should see 'Permission Denied' appear for a second or two
- Login should not be possible
- Now log in as test user, this should succeed.
host login: email@example.com
- The login should complete, and you should get to a standard unix shell prompt.
- Test the offline logins, too
- Disconnect the client from the network. As root, shut down the NM service:
# service NetworkManager stop
- Log in as the test user again. The login should succeed.
- Don't forget to start the networking again to make sure you're able to run the cleanup
Clean-up after the test
Enable the allow_all rule again to avoid interference with other Test cases:
$ kinit admin $ ipa hbacrule-enable allow_all
The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see.
- RHBZ #952830 If you see SELinux issues, it's because you don't have selinux-policy-3.12.1-32 or later.
- Please do this and report all AVC's to the above bug.
$ sudo setenforce permissive ... do the test $ sudo grep realmd /var/log/audit/audit.log
- RHBZ #953116 If you do not first kinit as the testuser, but try to log in as that user directly, you will run into this bug, where the password for a user that comes from sssd cannot be changed via PAM.
- Work around available in the bug.