From Fedora Project Wiki
Description
Check that FreeIPA's HBAC rules are respected after using realmd to join the current machine to a FreeIPA domain.
Setup
- If you haven't already, run through the test case to join the domain.
How to test
- The intent here is to set up an HBAC rule which specifies that all access is prohibited, unless it is initiated by a specific user ("testuser")
- Make sure you have freeipa-admintools installed
# yum install freeipa-admintools
- Create a FreeIPA user (after acquiring admin credentials)
$ kinit admin
$ ipa user-add testuser --first test --last user --password
- Create an HBAC rule that allows access to the user you just created
$ ipa hbacrule-add testrule --servicecat=all --hostcat=all
$ ipa hbacrule-add-user testrule --users=testuser
- Disable the default rule that allows access to everyone
$ ipa hbacrule-disable allow_all
- On the system that joined the domain, change the testuser password for the first time.
$ kinit testuser@IPA.EXAMPLE.ORG
- You will be prompted to enter a new password here
Expected Results
- On the system that joined the domain, switch to another VT (press
Ctrl-Alt-F4
). - Log in as the admin should fail.
host login: admin@ipa.example.org
- You should see 'Permission Denied' appear for a second or two
- Login should not be possible
- Now log in as test user, this should succeed.
host login: testuser@ipa.example.org
- The login should complete, and you should get to a standard unix shell prompt.
Clean-up after the test
Enable the allow_all rule again to avoid interference with other Test cases:
$ ipa hbacrule-enable allow_all
Troubleshooting
The selinux profile for realmd isn't yet stable, so you may want turn off enforcement. Please do still file bugs for the SElinux AVC notifications you see.
- RHBZ #952830 If you see SELinux issues, it's because you don't have selinux-policy-3.12.1-32 or later.
- Please do this and report all AVC's to the above bug.
$ sudo setenforce permissive ... do the test $ sudo grep realmd /var/log/audit/audit.log
- RHBZ #953116 If you do not first kinit as the testuser, but try to log in as that user directly, you will run into this bug, where the password for a user that comes from sssd cannot be changed via PAM.
- Work around available in the bug.