Learn more about these different git repos.
Other Git URLs
https://bugzilla.redhat.com/show_bug.cgi?id=869678 (Red Hat Enterprise Linux 6)
Description of problem: I can't log into IPA client (running sssd) with an AD trusted user when there is an HBAC rule in place. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Setup IPA Master (rhel6-1) 2. Setup AD Server (w2k8r2-1) and create testgroup and testuser1 as member of testgroup 2.0. ipa dnszone-add adtestdom.com --name-server=w2k8r2-1.adtestdom.com --admin-email="hostmaster@adtestdom.com" --forwarder=192.168.122.21 --forward-policy=only --force 2.1. ipa-adtrust-install 2.2. ipa trust-add adtestdom.com --admin Administrator --password 3. ipa group-add --desc='adtestdom.com testgroup external map' adtestdom_testgroup_external --external 4. ipa group-add --desc='adtestdom.com testgroup' adtestdom_testgroup 5. wbinfo -n "ADTESTDOM\testgroup" 6. ipa group-add-member adtestdom_testgroup_external --external S-1-5-21-1246088475-3077293710-2580964704-1132 7. ipa hbacrule-add --desc=test test 8. ipa hbacrule-add-host --hosts=rhel6-1.testrelm.com test 9. ipa hbacrule-add-sourcehost test --hosts=w2k8r2-3.adtestdom.com note that the sourcehost will be ignored now so this shouldn't be necessary 10. ipa hbacrule-add-service --hbacsvcs=sshd test 11. ipa hbacrule-add-user test --groups=adtestdom_testgroup 12. kinit testuser1@ADTESTDOM.COM 13. ssh -K -l testuser1@adtestdom.com rhel6-1 Note that some of the above procedures were just taken from history so I hope I got it all there. Actual results: [root@rhel6-1 ~]# wbinfo -n "ADTESTDOM\testgroup" S-1-5-21-1246088475-3077293710-2580964704-1132 SID_DOM_GROUP (2) [root@rhel6-1 ~]# ipa group-show adtestdom_testgroup_external Group name: adtestdom_testgroup_external Description: adtestdom.com testgroup external map Member of groups: adtestdom_testgroup Indirect Member of HBAC rule: test External member: S-1-5-21-1246088475-3077293710-2580964704-1132 [root@rhel6-1 ~]# ipa group-show adtestdom_testgroup Group name: adtestdom_testgroup Description: adtestdom.com testgroup GID: 1277200031 Member groups: adtestdom_testgroup_external Member of HBAC rule: test [root@rhel6-1 ~]# ipa hbacrule-show test Rule name: test Description: test Enabled: TRUE User Groups: adtestdom_testgroup Hosts: rhel6-1.testrelm.com Services: sshd External host: w2k8r2-3.adtestdom.com [root@rhel6-1 ~]# kinit testuser1@ADTESTDOM.COM Password for testuser1@ADTESTDOM.COM: [root@rhel6-1 ~]# ssh -K -l testuser1@adtestdom.com rhel6-1 Connection closed by UNKNOWN [root@rhel6-1 ~]# Expected results: ssh works and logs user into host. Additional info: /var/log/sssd/sssd_testrelm.com.log entries: (Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_attrs_to_rule] (0x1000): Processing rule [test] (Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [test] (Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=adtestdo m_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com)) ... (Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=adtest dom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com)) ... (Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sysdb_search_groups] (0x2000): No such entry (Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_user_attrs_to_rule] (0x2000): Added non-POSIX group [adtestdom_testgroup] to rule [test] (Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [test] ... (Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [test] (Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [test] ... (Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_host_attrs_to_rule] (0x2000): Added host [rhel6-1.testrelm.com] to rule [test] (Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [test] (Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL ... (Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_eval_user_element] (0x1000): No groups for [testuser1] ... (Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules (Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success] (Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback] (0x0100): Sending result [6][adtestdom.com] (Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback] (0x0100): Sent result [6][adtestdom.com] (Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sdap_process_result] (0x2000): Trace: sh[0x1e2e710], connected[1], ops[(nil)], ldap[0x1e37040] (Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Oct 24 09:11:58 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): dbus conn: 1E00180 (Wed Oct 24 09:11:58 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): Dispatching.
Fields changed
blockedby: => blocking: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => milestone: NEEDS_TRIAGE => SSSD 1.9.3 testsupdated: => 0
owner: somebody => sbose status: new => assigned
patch: 0 => 1
Fixed with:[[BR]] 2074780[[BR]] 1a456e4[[BR]] 6722c85[[BR]] a0afedf[[BR]] 8913708[[BR]]
resolution: => fixed status: assigned => closed
Metadata Update from @jhrozek: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.9.3
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2646
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.