Issue #3251: [RFE] ipa group-add-member allows adding non-existent AD users/groups as external members - freeipa

freeipa

#3251 [RFE] ipa group-add-member allows adding non-existent AD users/groups as external members

Opened 11 years ago by dpal. Modified 7 years ago

https://bugzilla.redhat.com/show_bug.cgi?id=874674 (Red Hat Enterprise Linux 7)

Description of problem:

From xdong's description in bug #869616:

2> Can use invalid SIDs - and message says member was added.(-1100 is invalid)

[root@xdong ~]# ipa group-add-member
--external=s-1-5-21-2048782538-2375889789-2933420090-1100
Group name: bb
[member user]:
[member group]:
  Group name: bb
  Description: bb
  External member: s-1-5-21-2048782538-2375889789-2933420090-1175,
s-1-5-21-2048782538-2375889789-2933420090-1100
-------------------------
Number of members added 1
-------------------------

Also:

[root@rhel6-1 ~]# ipa group-add-member ad_group_external --external
S-1-5-21-1246088475-3077293710-2580964704-1701
[member user]:
[member group]:
  Group name: ad_group_external
  Description: ad.example.com group external
  External member: S-1-5-21-1246088475-3077293710-2580964704-1135,
                   S-1-5-21-1246088475-3077293710-2580964704-1136,
                   S-1-5-21-1246088475-3077293710-2580964704-1700,
                   S-1-5-21-1246088475-3077293710-2580964704-1701
  Member users: admin
-------------------------
Number of members added 1
-------------------------

[root@rhel6-1 ~]# wbinfo -s S-1-5-21-1246088475-3077293710-2580964704-1701
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-21-1246088475-3077293710-2580964704-1701


Version-Release number of selected component (if applicable):
ipa-server-3.0.0-106.20121106T0229zgit881fc3a.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1.  Setup IPA Master with trust to AD domain
2.  ipa group-add groupname --desc=desc
3.  ipa group-add-member groupname --external <SID that does not exist in AD
domain>


Actual results:
adds SID that can't be resolved from AD domain.

Expected results:
should reject or at least warn that this is the case?

Additional info:

Further discussion showed that we do not validate users by SIDs. This is the RFEs to add validation of the external AD users if they are referred by SID and not by name.

tbabej commented 10 years ago

Releasing tickets from distant milestones.

Metadata Update from @dpal:
- Issue assigned to someone
- Issue set to the milestone: Future Releases

7 years ago

Metadata

Assignee

someone

Tags

None

Blocking

None

Depending on

None

Priority

low

Milestone

Future Releases

None

affects_doc

None

source

None

knownissue

None

type

enhancement

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=874674

tester

None

changelog

None

design

None

freeipa

Source Code

#3251 [RFE] ipa group-add-member allows adding non-existent AD users/groups as external members Opened 11 years ago by dpal. Modified 7 years ago

Close issue as:

Metadata

#3251 [RFE] ipa group-add-member allows adding non-existent AD users/groups as external members

Opened 11 years ago by dpal. Modified 7 years ago