Let's say we have a host somewhatsap.mydomain.at that is member of a
hostgroup saphosts that has an HBAC rule saphhosts-ssh assigned.
The host somwhatsap.mydomain.at has another HBAC rule
(saphosts-ssh-somecountry) directly assigned.
The user we wanted to grant access to somewhatsap.mydomain.at was only
assigned to the saphosts-ssh-someounctry HBAC rule so the user could not
access that particular host.
ipa hbactest [email protected] --host=somewhatsap.mydomain.at
--service=sshd
--------------------
Access granted: True
--------------------
Matched rules: saphosts-ssh
Not matched rules: saphosts-ssh-somecountry
The moment we put that user into the saphosts-ssh HBAC rule the user
could access the host.
So... is there some kind of HBAC rule precedence I am not aware of? I
could not find an answer to this question in the official
documentation... (and why does hbactest say the users is granted access
when it actually is not?)
Cheers,
Ronald
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
