From Fedora Project Wiki

(Create page)
(Update test to remove ssh dependency, and reformat troubleshooting)
Line 14: Line 14:
# Disable the default rule that allows access to everyone
# Disable the default rule that allows access to everyone
#: <pre>$ ipa hbacrule-disable allow_all</pre>
#: <pre>$ ipa hbacrule-disable allow_all</pre>
# On the system that joined the domain, change the ''testuser'' password for the first time.
#: <pre>$ kinit testuser@IPA.EXAMPLE.ORG</pre>
#: You will be prompted to enter a new password here


|results=
|results=
# Make sure that admin is not able to ssh into the IPA server (per the HBAC rule)
# On the system that joined the domain, switch to another VT (press <code>Ctrl-Alt-F4</code>).
#: <pre>$ ssh admin@server.ipa.example.org</pre>
# Log in as the admin should fail.
# Make sure that testuser is able to ssh into the IPA server (per the HBAC rule)
#: <pre>host login: admin@ipa.example.org</pre>
#: <pre>$ ssh testuser@server.ipa.example.org</pre>
#: You should see 'Permission Denied' appear for a second or two
#: Login should not be possible
# Now log in as test user, this should succeed.
#: <pre>host login: testuser@ipa.example.org</pre>
#: The login should complete, and you should get to a standard unix shell prompt.
}}
}}


Line 31: Line 38:
The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see.
The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see.


'''Known Issue [[https://bugzilla.redhat.com/show_bug.cgi?id=952830 Selinux]]:''' You need to turn off selinux to complete the join. Please do:
* {{bz|952830}} If you see '''SELinux issues''', it's because you don't have [http://koji.fedoraproject.org/koji/buildinfo?buildID=412505 selinux-policy-3.12.1-32] or later.
 
** Please do this and report all AVC's to the above bug.
<pre>
<pre>
$ sudo setenforce 0
$ sudo setenforce permissive
... do the test
$ sudo grep realmd /var/log/audit/audit.log
</pre>
</pre>


Please file all realmd AVC's at this bug: https://bugzilla.redhat.com/show_bug.cgi?id=952830
<pre>
$ sudo grep realmd /var/log/audit/audit.log
</pre>


'''Known Issue [[https://bugzilla.redhat.com/show_bug.cgi?id=953116 cannot change the password for new user]]:''' This is a bug probably in authconfig. The workaround is available in the bug [[https://bugzilla.redhat.com/show_bug.cgi?id=953116 Bug 953116]]
* {{bz|953116}} If you do not first kinit as the testuser, but try to log in as that user directly, you will run into this bug, where the password for a user that comes from sssd cannot be changed via PAM.
** Work around available in the bug.


[[Category:FreeIPA_Test_Cases]] [[Category:Realmd_Test_Cases]]
[[Category:FreeIPA_Test_Cases]] [[Category:Realmd_Test_Cases]]

Revision as of 10:18, 18 April 2013

Description

Check that FreeIPA's HBAC rules are respected after using realmd to join the current machine to a FreeIPA domain.

Setup

  1. If you haven't already, run through the test case to join the domain.

How to test

  1. The intent here is to set up an HBAC rule which specifies that all access is prohibited, unless it is initiated by a specific user ("testuser")
  2. Create a FreeIPA user (after acquiring admin credentials)
    $ kinit admin
    $ ipa user-add testuser --first test --last user --password
  3. Create an HBAC rule that allows access to the user you just created
    $ ipa hbacrule-add testrule --servicecat=all --hostcat=all
    $ ipa hbacrule-add-user testrule --users=testuser
  4. Disable the default rule that allows access to everyone
    $ ipa hbacrule-disable allow_all
  5. On the system that joined the domain, change the testuser password for the first time.
    $ kinit testuser@IPA.EXAMPLE.ORG
    You will be prompted to enter a new password here

Expected Results

  1. On the system that joined the domain, switch to another VT (press Ctrl-Alt-F4).
  2. Log in as the admin should fail.
    host login: admin@ipa.example.org
    You should see 'Permission Denied' appear for a second or two
    Login should not be possible
  3. Now log in as test user, this should succeed.
    host login: testuser@ipa.example.org
    The login should complete, and you should get to a standard unix shell prompt.



Clean-up after the test

Enable the allow_all rule again to avoid interference with other Test cases:

$ ipa hbacrule-enable allow_all

Troubleshooting

The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see.

  • RHBZ #952830 If you see SELinux issues, it's because you don't have selinux-policy-3.12.1-32 or later.
    • Please do this and report all AVC's to the above bug.
$ sudo setenforce permissive
... do the test
$ sudo grep realmd /var/log/audit/audit.log


  • RHBZ #953116 If you do not first kinit as the testuser, but try to log in as that user directly, you will run into this bug, where the password for a user that comes from sssd cannot be changed via PAM.
    • Work around available in the bug.