#1604 sssd not granting access for AD trusted user in HBAC rule
Closed: Fixed None Opened 6 years ago by jhrozek.

https://bugzilla.redhat.com/show_bug.cgi?id=869678 (Red Hat Enterprise Linux 6)

Description of problem:

I can't log into IPA client (running sssd) with an AD trusted user when there
is an HBAC rule in place.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Setup IPA Master (rhel6-1)
2. Setup AD Server (w2k8r2-1) and create testgroup and testuser1 as member of
testgroup
2.0.  ipa dnszone-add adtestdom.com --name-server=w2k8r2-1.adtestdom.com
--admin-email="hostmaster@adtestdom.com" --forwarder=192.168.122.21
--forward-policy=only --force
2.1.  ipa-adtrust-install
2.2.  ipa trust-add adtestdom.com --admin Administrator --password
3. ipa group-add --desc='adtestdom.com testgroup external map'
adtestdom_testgroup_external --external
4. ipa group-add --desc='adtestdom.com testgroup' adtestdom_testgroup
5. wbinfo -n "ADTESTDOM\testgroup"
6. ipa group-add-member adtestdom_testgroup_external --external
S-1-5-21-1246088475-3077293710-2580964704-1132
7. ipa hbacrule-add --desc=test test
8. ipa hbacrule-add-host --hosts=rhel6-1.testrelm.com test
9. ipa hbacrule-add-sourcehost test --hosts=w2k8r2-3.adtestdom.com
note that the sourcehost will be ignored now so this shouldn't be necessary
10. ipa hbacrule-add-service --hbacsvcs=sshd  test
11. ipa hbacrule-add-user test --groups=adtestdom_testgroup
12. kinit testuser1@ADTESTDOM.COM
13. ssh -K -l testuser1@adtestdom.com rhel6-1

Note that some of the above procedures were just taken from history so I hope I
got it all there.

Actual results:

[root@rhel6-1 ~]# wbinfo -n "ADTESTDOM\testgroup"
S-1-5-21-1246088475-3077293710-2580964704-1132 SID_DOM_GROUP (2)

[root@rhel6-1 ~]# ipa group-show adtestdom_testgroup_external
  Group name: adtestdom_testgroup_external
  Description: adtestdom.com testgroup external map
  Member of groups: adtestdom_testgroup
  Indirect Member of HBAC rule: test
  External member: S-1-5-21-1246088475-3077293710-2580964704-1132

[root@rhel6-1 ~]# ipa group-show adtestdom_testgroup
  Group name: adtestdom_testgroup
  Description: adtestdom.com testgroup
  GID: 1277200031
  Member groups: adtestdom_testgroup_external
  Member of HBAC rule: test

[root@rhel6-1 ~]# ipa hbacrule-show test
  Rule name: test
  Description: test
  Enabled: TRUE
  User Groups: adtestdom_testgroup
  Hosts: rhel6-1.testrelm.com
  Services: sshd
  External host: w2k8r2-3.adtestdom.com

[root@rhel6-1 ~]# kinit testuser1@ADTESTDOM.COM
Password for testuser1@ADTESTDOM.COM:

[root@rhel6-1 ~]# ssh -K -l testuser1@adtestdom.com rhel6-1
Connection closed by UNKNOWN

[root@rhel6-1 ~]#

Expected results:

ssh works and logs user into host.

Additional info:

/var/log/sssd/sssd_testrelm.com.log entries:

(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_attrs_to_rule]
(0x1000): Processing rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_user_attrs_to_rule]
(0x1000): Processing users for rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sysdb_search_users]
(0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=adtestdo
m_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com))

...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sysdb_search_groups]
(0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=adtest
dom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com))

...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sysdb_search_groups]
(0x2000): No such entry
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_user_attrs_to_rule]
(0x2000): Added non-POSIX group [adtestdom_testgroup] to rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]]
[hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [test]

...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]]
[hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_thost_attrs_to_rule]
(0x1000): Processing target hosts for rule [test]
...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_host_attrs_to_rule]
(0x2000): Added host [rhel6-1.testrelm.com] to rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_shost_attrs_to_rule]
(0x0400): Processing source hosts for rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_shost_attrs_to_rule]
(0x2000): Source hosts disabled, setting ALL
...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_eval_user_element]
(0x1000): No groups for [testuser1]
...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [ipa_hbac_evaluate_rules]
(0x0080): Access denied by HBAC rules
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sdap_id_op_destroy]
(0x4000): releasing operation connection
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 6, <NULL>) [Success]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback]
(0x0100): Sending result [6][adtestdom.com]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback]
(0x0100): Sent result [6][adtestdom.com]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sdap_process_result]
(0x2000): Trace: sh[0x1e2e710], connected[1], ops[(nil)], ldap[0x1e37040]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Oct 24 09:11:58 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000):
dbus conn: 1E00180
(Wed Oct 24 09:11:58 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000):
Dispatching.

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
milestone: NEEDS_TRIAGE => SSSD 1.9.3
testsupdated: => 0

Fields changed

owner: somebody => sbose
status: new => assigned

Fields changed

patch: 0 => 1

Fixed with:[[BR]]
2074780[[BR]]
1a456e4[[BR]]
6722c85[[BR]]
a0afedf[[BR]]
8913708[[BR]]

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.9.3

2 years ago

Login to comment on this ticket.

Metadata