From Fedora Project Wiki
No edit summary |
No edit summary |
||
Line 19: | Line 19: | ||
#: <pre>$ kinit testuser@IPA.EXAMPLE.ORG</pre> | #: <pre>$ kinit testuser@IPA.EXAMPLE.ORG</pre> | ||
#: You will be prompted to enter a new password here | #: You will be prompted to enter a new password here | ||
|results= | |results= | ||
Line 33: | Line 29: | ||
#: <pre>host login: testuser@ipa.example.org</pre> | #: <pre>host login: testuser@ipa.example.org</pre> | ||
#: The login should complete, and you should get to a standard unix shell prompt. | #: The login should complete, and you should get to a standard unix shell prompt. | ||
# | }} | ||
== More testing - offline logins == | |||
# Before the test, make sure that credential caching is enabled on the client | |||
#: open <code>/etc/sssd/sssd.conf</code> in your editor of choice | |||
#: Make sure that <code>cache_credentials=True</code> is present in the <code>[domain]</code> section of sssd.conf | |||
#: Restart the SSSD if you modified the config file: <code>service sssd restart</code> | |||
# Perform one more login online to cache the credentials | |||
#: Disconnect the client from the network. As root, shut down the NM service: | #: Disconnect the client from the network. As root, shut down the NM service: | ||
#: <pre># service NetworkManager stop</pre> | #: <pre># service NetworkManager stop</pre> | ||
#: Log in as the test user again. The login should succeed. | #: Log in as the test user again. The login should succeed. | ||
#: Don't forget to start the networking again to make sure you're able to run the cleanup | #: Don't forget to start the networking again to make sure you're able to run the cleanup | ||
== Clean-up after the test == | == Clean-up after the test == |
Revision as of 14:27, 7 May 2013
Description
Check that FreeIPA's HBAC rules are respected after using realmd to join the current machine to a FreeIPA domain.
Setup
- If you haven't already, run through the test case to join the domain.
How to test
- The intent here is to set up an HBAC rule which specifies that all access is prohibited, unless it is initiated by a specific user ("testuser")
- Make sure you have freeipa-admintools installed
# yum install freeipa-admintools
- Create a FreeIPA user (after acquiring admin credentials)
$ kinit admin
$ ipa user-add testuser --first test --last user --password
- Create an HBAC rule that allows access to the user you just created
$ ipa hbacrule-add testrule --servicecat=all --hostcat=all
$ ipa hbacrule-add-user testrule --users=testuser
- Disable the default rule that allows access to everyone
$ ipa hbacrule-disable allow_all
- On the system that joined the domain, change the testuser password for the first time.
$ kinit testuser@IPA.EXAMPLE.ORG
- You will be prompted to enter a new password here
Expected Results
- On the system that joined the domain, switch to another VT (press
Ctrl-Alt-F4
). - Log in as the admin should fail.
host login: admin@ipa.example.org
- You should see 'Permission Denied' appear for a second or two
- Login should not be possible
- Now log in as test user, this should succeed.
host login: testuser@ipa.example.org
- The login should complete, and you should get to a standard unix shell prompt.
More testing - offline logins
- Before the test, make sure that credential caching is enabled on the client
- open
/etc/sssd/sssd.conf
in your editor of choice - Make sure that
cache_credentials=True
is present in the[domain]
section of sssd.conf - Restart the SSSD if you modified the config file:
service sssd restart
- open
- Perform one more login online to cache the credentials
- Disconnect the client from the network. As root, shut down the NM service:
# service NetworkManager stop
- Log in as the test user again. The login should succeed.
- Don't forget to start the networking again to make sure you're able to run the cleanup
Clean-up after the test
Enable the allow_all rule again to avoid interference with other Test cases:
$ kinit admin $ ipa hbacrule-enable allow_all
Troubleshooting
The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see.
- RHBZ #952830 If you see SELinux issues, it's because you don't have selinux-policy-3.12.1-32 or later.
- Please do this and report all AVC's to the above bug.
$ sudo setenforce permissive ... do the test $ sudo grep realmd /var/log/audit/audit.log
- RHBZ #953116 If you do not first kinit as the testuser, but try to log in as that user directly, you will run into this bug, where the password for a user that comes from sssd cannot be changed via PAM.
- Work around available in the bug.