Hi,
I have a IPA setup, in trust with active directory.
I noticed a strange behaviour in HBAC.
In details:
I have a group ("extgroup"), defined as external, containing an active
directory user ("user(a)ad.dom.ain").
I defined a HBAC rule ("allow_AD_ssh") to permit ssh to a host to users
belonging to "extgroup", but the HBAC test (performed with
"user(a)ad.dom.ain") fails. I'm sure the cause is the "Who" section of the
HBAC rule (if I leave "Anyone" it works). So the HBAC is defined as:
WHO: User group "extgroup"
ACCESSING: host I want to give access to
SERVICE: sshd
I was pretty sure it was a incompatibility of HBAC rules with external user.
But if I define a standard (POSIX) group (let say "intgroup"), make
"extgroup" member of "intgroup" and use "intgroup" in the definition of
the (section "who" of) HBAC rule, it works like a charm.
Why direct use of external group is not working? Is it a bug? Or is
there a reason I cannot see?
TIA
Cheers,
Giulio