From Fedora Project Wiki
No edit summary |
mNo edit summary |
||
| Line 2: | Line 2: | ||
|description=Check that FreeIPA's HBAC rules are respected after using realmd to join the current machine to a FreeIPA domain. | |description=Check that FreeIPA's HBAC rules are respected after using realmd to join the current machine to a FreeIPA domain. | ||
|setup= | |setup= | ||
# | # If you haven't already, run through the [[QA:Testcase_FreeIPA_realmd_join|test case to join the domain]]. | ||
|actions= | |actions= | ||
| Line 17: | Line 17: | ||
|results= | |results= | ||
# Make sure that admin is not able to ssh into the IPA server (per the HBAC rule) | # Make sure that admin is not able to ssh into the IPA server (per the HBAC rule) | ||
#: <pre>$ ssh admin@server.example.org</pre> | #: <pre>$ ssh admin@server.ipa.example.org</pre> | ||
# Make sure that testuser is able to ssh into the IPA server (per the HBAC rule) | # Make sure that testuser is able to ssh into the IPA server (per the HBAC rule) | ||
#: <pre>$ ssh testuser@ | #: <pre>$ ssh testuser@server.ipa.example.org</pre> | ||
}} | }} | ||
| Line 30: | Line 30: | ||
The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see. | The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see. | ||
'''Known Issue [[https://bugzilla.redhat.com/show_bug.cgi?id= | '''Known Issue [[https://bugzilla.redhat.com/show_bug.cgi?id=952830 Selinux]]:''' You need to turn off selinux to complete the join. Please do: | ||
<pre> | <pre> | ||
| Line 36: | Line 36: | ||
</pre> | </pre> | ||
Please file all realmd AVC's at this bug: https://bugzilla.redhat.com/show_bug.cgi?id= | Please file all realmd AVC's at this bug: https://bugzilla.redhat.com/show_bug.cgi?id=952830 | ||
<pre> | <pre> | ||
Revision as of 23:38, 17 April 2013
Description
Check that FreeIPA's HBAC rules are respected after using realmd to join the current machine to a FreeIPA domain.
Setup
- If you haven't already, run through the test case to join the domain.
How to test
- The intent here is to set up an HBAC rule which specifies that all access is prohibited, unless it is initiated by a specific user ("testuser")
- Create a FreeIPA user (after acquiring admin credentials)
$ kinit admin
$ ipa user-add testuser --first test --last user --password
- Create an HBAC rule that allows access to the user you just created
$ ipa hbacrule-add testrule --servicecat=all --hostcat=all
$ ipa hbacrule-add-user testrule --users=testuser
- Disable the default rule that allows access to everyone
$ ipa hbacrule-disable allow_all
Expected Results
- Make sure that admin is not able to ssh into the IPA server (per the HBAC rule)
$ ssh admin@server.ipa.example.org
- Make sure that testuser is able to ssh into the IPA server (per the HBAC rule)
$ ssh testuser@server.ipa.example.org
Clean-up after the test
Enable the allow_all rule again to avoid interference with other Test cases:
$ ipa hbacrule-enable allow_all
Troubleshooting
The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see.
Known Issue [Selinux]: You need to turn off selinux to complete the join. Please do:
$ sudo setenforce 0
Please file all realmd AVC's at this bug: https://bugzilla.redhat.com/show_bug.cgi?id=952830
$ sudo grep realmd /var/log/audit/audit.log