Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1170300
Regression of #4207
Description of problem: This is a regression of bz1070924 Version-Release number of selected component (if applicable): ipa-server-4.1.0-10.el7.x86_64 How reproducible: Steps to Reproduce: 1. Setup trust with AD having a child domain 2. Disable child domain trust 3. ssh as user from child AD domain Actual results: [root@vm-idm-032 ~]# ssh -l "aduser1@pune.adtest.qe" $(hostname) "echo 'login successful'" aduser1@pune.adtest.qe@vm-idm-032.steeve0312.test's password: login successful [root@vm-idm-032 ~]# ipa trustdomain-disable adtest.qe pune.adtest.qe -------------------------------------- Disabled trust domain "pune.adtest.qe" -------------------------------------- [root@vm-idm-032 ~]# ipa trustdomain-find adtest.qe Domain name: adtest.qe Domain NetBIOS name: ADTEST Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879 Domain enabled: True Domain name: pune.adtest.qe Domain NetBIOS name: PUNE Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112 Domain enabled: False ---------------------------- Number of entries returned 2 ---------------------------- [root@vm-idm-032 ~]# ipa trust-show adtest.qe --all | grep S-1-5-21-91314187-2404433721-1858927112 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-21-91314187-2404433721-1858927112, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 [root@vm-idm-032 ~]# sleep 90 ; ssh -l "aduser1@pune.adtest.qe" $(hostname) "echo 'login successful'" aduser1@pune.adtest.qe@vm-idm-032.steeve0312.test's password: login successful [root@vm-idm-032 ~]# sleep 30 ; ssh -l "aduser1@pune.adtest.qe" $(hostname) "echo 'login successful'" aduser1@pune.adtest.qe@vm-idm-032.steeve0312.test's password: login successful Expected results: Access should be rejected for AD user from disabled domain Additional info:
Alexander, are you or Sumit working on a fix?
Investigated by Alexander as SSSD issue. This ticket should be closed or used for tracking.
The ticket will be used for implementing FreeIPA change of status message so that SSSD will get easier processing.
Patch sent for review: https://www.redhat.com/archives/freeipa-devel/2015-January/msg00232.html
master:
ipa-4-1:
Metadata Update from @pvoborni: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 4.1.3
Login to comment on this ticket.