Am Tue, Feb 11, 2025 at 03:12:31PM +0100 schrieb Ronald Wimmer via FreeIPA-users: > Let's say we have a host somewhatsap.mydomain.at that is member of a > hostgroup saphosts that has an HBAC rule saphhosts-ssh assigned. > > The host somwhatsap.mydomain.at has another HBAC rule > (saphosts-ssh-somecountry) directly assigned. > > The user we wanted to grant access to somewhatsap.mydomain.at was only > assigned to the saphosts-ssh-someounctry HBAC rule so the user could not > access that particular host. > > ipa hbactest [email protected] --host=somewhatsap.mydomain.at > --service=sshd > -------------------- > Access granted: True > -------------------- > Matched rules: saphosts-ssh > Not matched rules: saphosts-ssh-somecountry > > The moment we put that user into the saphosts-ssh HBAC rule the user could > access the host. > > So... is there some kind of HBAC rule precedence I am not aware of? I could > not find an answer to this question in the official documentation... (and > why does hbactest say the users is granted access when it actually is not?)
Hi, there is no order applied to the evaluation of the rules. All rules are processed and if no matching rule or a rule which rejects access were found the access will be rejected. If a rule which allows access was found and there is no matching rule which rejects access, access is granted. You can find more details about the evaluation by running SSSD with `debug_level = 9` in the [domain/...] section of sssd.conf and grep-ping the backend logs for "hbac_evaluate". HTH bye, Sumit > > Cheers, > Ronald > > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
