-
Bug
-
Resolution: Done-Errata
-
Undefined
-
rhel-9.5
-
ipa-4.12.2-2.el9
-
None
-
Important
-
1
-
rhel-idm-ipa
-
ssg_idm
-
10
-
12
-
2
-
QE ack, Dev ack
-
False
-
False
-
-
Yes
-
2024-Q4-Alpha-S3
-
Pass
-
Automated
-
Bug Fix
-
-
Done
-
-
x86_64
-
None
What were you trying to do that didn't work?
Default hbac rules are duplicated on the remote server during ipa-migrate prod-mode
Please provide the package NVR for which bug is seen:
ipa-server-4.12.0-4.el9.x86_64
krb5-server-1.21.1-2.el9.x86_64
389-ds-base-2.5.1-1.el9.x86_64
How reproducible: Always
Steps to reproduce
- Install IPA local and remote server i.e testrelm.test domain
- Add hbac rule and sudo rules on the local server.
- Run ipa-migrate tool on remote server and
- #[root@remote ~]# ipa-migrate prod-mode local.testrelm.test -D 'cn=Directory Manager' -w password.
- Run ipa hbacrule-find on the remote server.
Expected results
Remove duplication of default hbac rules.
Actual results
allow_systemd-user and allow_all is duplicated on the remote server.
[root@local ~]# ipa hbacrule-find
--------------------
3 HBAC rules matched
--------------------
Rule name: allow_all
User category: all
Host category: all
Service category: all
Description: Allow all users to access any host from any host
Enabled: True
Rule name: allow_systemd-user
User category: all
Host category: all
Description: Allow pam_systemd to run user@.service to create a system user session
Enabled: True
Rule name: hbacrule1
Enabled: True
----------------------------
Number of entries returned 3
----------------------------
[root@remote ~]# ipa hbacrule-find
--------------------
5 HBAC rules matched
--------------------
Rule name: allow_all
User category: all
Host category: all
Service category: all
Description: Allow all users to access any host from any host
Enabled: True
Rule name: allow_all
User category: all
Host category: all
Service category: all
Description: Allow all users to access any host from any host
Enabled: True
Rule name: allow_systemd-user
User category: all
Host category: all
Description: Allow pam_systemd to run user@.service to create a system user session
Enabled: True
Rule name: allow_systemd-user
User category: all
Host category: all
Description: Allow pam_systemd to run user@.service to create a system user session
Rule name: hbacrule1
Enabled: True
----------------------------
Number of entries returned 5
----------------------------
Enabled: True
- links to
-
RHBA-2024:141066 ipa update