IPA: HBAC doesn't honour primary group membership for IPA user

Solution Verified - Updated -

Issue

  • IPA: HBAC doesn't honor primary group membership for IPA user causing ipa hbactest and user login to fail.
# ipa hbactest --user=testuser --host=`hostname` --service=sshd
---------------------
Access granted: False
---------------------
  Not matched rules: testhbac

# id testuser
uid=1767400004(testuser) gid=1767400003(testgroup) groups=1767400003(testgroup) <---- Group is visible

# getent group testgroup
testgroup:*:1767400003:                      <---- Empty Output

# ipa group-show testgroup
  Group name: testgroup
  GID: 1767400003
  Member of HBAC rule: testhbac

# ipa hbacrule-show testhbac
  Rule name: testhbac
  Enabled: TRUE
  User Groups: testgroup
  Host Groups: testhostgroup
  Services: sshd

Environment

  • Red Hat Enterprise Linux 7.6
  • ipa-server-4.6.4-10.el7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content