Ben Aveling via FreeIPA-users wrote: > We have a user who can login. > > hbactest says they shouldn't be allowed to - when it's run from the command > line. > > When run from the GUI, hbactest says that the user should be allowed to > login. > > Looking at the rules, there doesn't seem to be any reason why the user > shouldn't be allowed to login, so it seems that the GUI is right and the CLI > is wrong. > > Just wondering if anyone has seen this before, or has any thoughts on whether > we should worry about this or not?
The GUI and cli execute the exact same code. I'd suggest looking at the Apache error log on the IPA master to see what arguments are passed into the hbactest routine to see if something differs between the UI and CLI. It will look something like: ipa: INFO: [jsonserver_session] [email protected]: hbactest/1(user='admin', targethost='ipa.example.test', service='sshd', version='2.239'): SUCCESS The SUCCESS doesn't indicate what the hbactest call returns, just that the entire transaction was successful. You might also crank up the sssd debugging to get more details on what it is passing into HBAC. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
