#1604 sssd not granting access for AD trusted user in HBAC rule
Closed: Fixed None Opened 11 years ago by jhrozek.

https://bugzilla.redhat.com/show_bug.cgi?id=869678 (Red Hat Enterprise Linux 6)

Description of problem:

I can't log into IPA client (running sssd) with an AD trusted user when there
is an HBAC rule in place.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Setup IPA Master (rhel6-1)
2. Setup AD Server (w2k8r2-1) and create testgroup and testuser1 as member of
testgroup
2.0.  ipa dnszone-add adtestdom.com --name-server=w2k8r2-1.adtestdom.com
--admin-email="hostmaster@adtestdom.com" --forwarder=192.168.122.21
--forward-policy=only --force
2.1.  ipa-adtrust-install
2.2.  ipa trust-add adtestdom.com --admin Administrator --password
3. ipa group-add --desc='adtestdom.com testgroup external map'
adtestdom_testgroup_external --external
4. ipa group-add --desc='adtestdom.com testgroup' adtestdom_testgroup
5. wbinfo -n "ADTESTDOM\testgroup"
6. ipa group-add-member adtestdom_testgroup_external --external
S-1-5-21-1246088475-3077293710-2580964704-1132
7. ipa hbacrule-add --desc=test test
8. ipa hbacrule-add-host --hosts=rhel6-1.testrelm.com test
9. ipa hbacrule-add-sourcehost test --hosts=w2k8r2-3.adtestdom.com
note that the sourcehost will be ignored now so this shouldn't be necessary
10. ipa hbacrule-add-service --hbacsvcs=sshd  test
11. ipa hbacrule-add-user test --groups=adtestdom_testgroup
12. kinit testuser1@ADTESTDOM.COM
13. ssh -K -l testuser1@adtestdom.com rhel6-1

Note that some of the above procedures were just taken from history so I hope I
got it all there.

Actual results:

[root@rhel6-1 ~]# wbinfo -n "ADTESTDOM\testgroup"
S-1-5-21-1246088475-3077293710-2580964704-1132 SID_DOM_GROUP (2)

[root@rhel6-1 ~]# ipa group-show adtestdom_testgroup_external
  Group name: adtestdom_testgroup_external
  Description: adtestdom.com testgroup external map
  Member of groups: adtestdom_testgroup
  Indirect Member of HBAC rule: test
  External member: S-1-5-21-1246088475-3077293710-2580964704-1132

[root@rhel6-1 ~]# ipa group-show adtestdom_testgroup
  Group name: adtestdom_testgroup
  Description: adtestdom.com testgroup
  GID: 1277200031
  Member groups: adtestdom_testgroup_external
  Member of HBAC rule: test

[root@rhel6-1 ~]# ipa hbacrule-show test
  Rule name: test
  Description: test
  Enabled: TRUE
  User Groups: adtestdom_testgroup
  Hosts: rhel6-1.testrelm.com
  Services: sshd
  External host: w2k8r2-3.adtestdom.com

[root@rhel6-1 ~]# kinit testuser1@ADTESTDOM.COM
Password for testuser1@ADTESTDOM.COM:

[root@rhel6-1 ~]# ssh -K -l testuser1@adtestdom.com rhel6-1
Connection closed by UNKNOWN

[root@rhel6-1 ~]#

Expected results:

ssh works and logs user into host.

Additional info:

/var/log/sssd/sssd_testrelm.com.log entries:

(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_attrs_to_rule]
(0x1000): Processing rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_user_attrs_to_rule]
(0x1000): Processing users for rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sysdb_search_users]
(0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=adtestdo
m_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com))

...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sysdb_search_groups]
(0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=adtest
dom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com))

...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sysdb_search_groups]
(0x2000): No such entry
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_user_attrs_to_rule]
(0x2000): Added non-POSIX group [adtestdom_testgroup] to rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]]
[hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [test]

...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_thost_attrs_to_rule]
(0x1000): Processing target hosts for rule [test]
...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_host_attrs_to_rule]
(0x2000): Added host [rhel6-1.testrelm.com] to rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_shost_attrs_to_rule]
(0x0400): Processing source hosts for rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_shost_attrs_to_rule]
(0x2000): Source hosts disabled, setting ALL
...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_eval_user_element]
(0x1000): No groups for [testuser1]
...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [ipa_hbac_evaluate_rules]
(0x0080): Access denied by HBAC rules
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sdap_id_op_destroy]
(0x4000): releasing operation connection
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 6, <NULL>) [Success]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback]
(0x0100): Sending result [6][adtestdom.com]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback]
(0x0100): Sent result [6][adtestdom.com]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sdap_process_result]
(0x2000): Trace: sh[0x1e2e710], connected[1], ops[(nil)], ldap[0x1e37040]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Oct 24 09:11:58 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000):
dbus conn: 1E00180
(Wed Oct 24 09:11:58 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000):
Dispatching.

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
milestone: NEEDS_TRIAGE => SSSD 1.9.3
testsupdated: => 0

Fields changed

owner: somebody => sbose
status: new => assigned

Fields changed

patch: 0 => 1

Fixed with:[[BR]]
2074780[[BR]]
1a456e4[[BR]]
6722c85[[BR]]
a0afedf[[BR]]
8913708[[BR]]

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.9.3

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2646

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata