From Fedora Project Wiki
(Create page) |
(Update test to remove ssh dependency, and reformat troubleshooting) |
||
Line 14: | Line 14: | ||
# Disable the default rule that allows access to everyone | # Disable the default rule that allows access to everyone | ||
#: <pre>$ ipa hbacrule-disable allow_all</pre> | #: <pre>$ ipa hbacrule-disable allow_all</pre> | ||
# On the system that joined the domain, change the ''testuser'' password for the first time. | |||
#: <pre>$ kinit testuser@IPA.EXAMPLE.ORG</pre> | |||
#: You will be prompted to enter a new password here | |||
|results= | |results= | ||
# | # On the system that joined the domain, switch to another VT (press <code>Ctrl-Alt-F4</code>). | ||
#: <pre> | # Log in as the admin should fail. | ||
# | #: <pre>host login: admin@ipa.example.org</pre> | ||
#: <pre> | #: You should see 'Permission Denied' appear for a second or two | ||
#: Login should not be possible | |||
# Now log in as test user, this should succeed. | |||
#: <pre>host login: testuser@ipa.example.org</pre> | |||
#: The login should complete, and you should get to a standard unix shell prompt. | |||
}} | }} | ||
Line 31: | Line 38: | ||
The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see. | The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see. | ||
''' | * {{bz|952830}} If you see '''SELinux issues''', it's because you don't have [http://koji.fedoraproject.org/koji/buildinfo?buildID=412505 selinux-policy-3.12.1-32] or later. | ||
** Please do this and report all AVC's to the above bug. | |||
<pre> | <pre> | ||
$ sudo setenforce | $ sudo setenforce permissive | ||
... do the test | |||
$ sudo grep realmd /var/log/audit/audit.log | |||
</pre> | </pre> | ||
* {{bz|953116}} If you do not first kinit as the testuser, but try to log in as that user directly, you will run into this bug, where the password for a user that comes from sssd cannot be changed via PAM. | |||
** Work around available in the bug. | |||
[[Category:FreeIPA_Test_Cases]] [[Category:Realmd_Test_Cases]] | [[Category:FreeIPA_Test_Cases]] [[Category:Realmd_Test_Cases]] |
Revision as of 10:18, 18 April 2013
Description
Check that FreeIPA's HBAC rules are respected after using realmd to join the current machine to a FreeIPA domain.
Setup
- If you haven't already, run through the test case to join the domain.
How to test
- The intent here is to set up an HBAC rule which specifies that all access is prohibited, unless it is initiated by a specific user ("testuser")
- Create a FreeIPA user (after acquiring admin credentials)
$ kinit admin
$ ipa user-add testuser --first test --last user --password
- Create an HBAC rule that allows access to the user you just created
$ ipa hbacrule-add testrule --servicecat=all --hostcat=all
$ ipa hbacrule-add-user testrule --users=testuser
- Disable the default rule that allows access to everyone
$ ipa hbacrule-disable allow_all
- On the system that joined the domain, change the testuser password for the first time.
$ kinit testuser@IPA.EXAMPLE.ORG
- You will be prompted to enter a new password here
Expected Results
- On the system that joined the domain, switch to another VT (press
Ctrl-Alt-F4
). - Log in as the admin should fail.
host login: admin@ipa.example.org
- You should see 'Permission Denied' appear for a second or two
- Login should not be possible
- Now log in as test user, this should succeed.
host login: testuser@ipa.example.org
- The login should complete, and you should get to a standard unix shell prompt.
Clean-up after the test
Enable the allow_all rule again to avoid interference with other Test cases:
$ ipa hbacrule-enable allow_all
Troubleshooting
The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see.
- RHBZ #952830 If you see SELinux issues, it's because you don't have selinux-policy-3.12.1-32 or later.
- Please do this and report all AVC's to the above bug.
$ sudo setenforce permissive ... do the test $ sudo grep realmd /var/log/audit/audit.log
- RHBZ #953116 If you do not first kinit as the testuser, but try to log in as that user directly, you will run into this bug, where the password for a user that comes from sssd cannot be changed via PAM.
- Work around available in the bug.