freeipa

Clone
Source Code
GIT

#4788 Access is not rejected for disabled domain
Closed: Fixed None Opened 9 years ago by pvoborni.

Closed: Fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1170300

Regression of #4207

Description of problem:
This is a regression of bz1070924

Version-Release number of selected component (if applicable):
ipa-server-4.1.0-10.el7.x86_64

How reproducible:


Steps to Reproduce:
1. Setup trust with AD having a child domain
2. Disable child domain trust
3. ssh as user from child AD domain

Actual results:

[root@vm-idm-032 ~]# ssh -l "aduser1@pune.adtest.qe" $(hostname) "echo 'login
successful'"
aduser1@pune.adtest.qe@vm-idm-032.steeve0312.test's password:
login successful

[root@vm-idm-032 ~]# ipa trustdomain-disable adtest.qe pune.adtest.qe
--------------------------------------
Disabled trust domain "pune.adtest.qe"
--------------------------------------

[root@vm-idm-032 ~]# ipa trustdomain-find  adtest.qe
  Domain name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  Domain enabled: True

  Domain name: pune.adtest.qe
  Domain NetBIOS name: PUNE
  Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
  Domain enabled: False
----------------------------
Number of entries returned 2
----------------------------

[root@vm-idm-032 ~]#  ipa trust-show adtest.qe --all | grep
S-1-5-21-91314187-2404433721-1858927112
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
S-1-5-21-91314187-2404433721-1858927112, S-1-5-17, S-1-5-16, S-1-5-15,
S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0,
S-1-5-19, S-1-5-18

[root@vm-idm-032 ~]# sleep 90 ; ssh -l "aduser1@pune.adtest.qe" $(hostname)
"echo 'login successful'"
aduser1@pune.adtest.qe@vm-idm-032.steeve0312.test's password:
login successful

[root@vm-idm-032 ~]# sleep 30 ; ssh -l "aduser1@pune.adtest.qe" $(hostname)
"echo 'login successful'"
aduser1@pune.adtest.qe@vm-idm-032.steeve0312.test's password:
login successful

Expected results:
Access should be rejected for AD user from disabled domain

Additional info:

Alexander, are you or Sumit working on a fix?

Investigated by Alexander as SSSD issue. This ticket should be closed or used for tracking.

The ticket will be used for implementing FreeIPA change of status message so that SSSD will get easier processing.

master:

  • 373a048 ipa-kdb: reject principals from disabled domains as a KDC policy

ipa-4-1:

  • 6d6e924 ipa-kdb: reject principals from disabled domains as a KDC policy

Metadata Update from @pvoborni:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 4.1.3
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
KDC LDAP driver
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1170300, https://bugzilla.redhat.com/show_bug.cgi?id=1172598
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.