#2535 Access is not rejected for disabled domain
Closed: Fixed None Opened 9 years ago by mkosek.

This is a clone for Bug 1170300.

Description of problem:
This is a regression of bz1070924

Version-Release number of selected component (if applicable):
ipa-server-4.1.0-10.el7.x86_64

How reproducible:


Steps to Reproduce:
1. Setup trust with AD having a child domain
2. Disable child domain trust
3. ssh as user from child AD domain

Actual results:

[root@vm-idm-032 ~]# ssh -l "aduser1@pune.adtest.qe" $(hostname) "echo 'login successful'"
aduser1@pune.adtest.qe@vm-idm-032.steeve0312.test's password: 
login successful

[root@vm-idm-032 ~]# ipa trustdomain-disable adtest.qe pune.adtest.qe
--------------------------------------
Disabled trust domain "pune.adtest.qe"
--------------------------------------

[root@vm-idm-032 ~]# ipa trustdomain-find  adtest.qe
  Domain name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  Domain enabled: True

  Domain name: pune.adtest.qe
  Domain NetBIOS name: PUNE
  Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
  Domain enabled: False
----------------------------
Number of entries returned 2
----------------------------

[root@vm-idm-032 ~]#  ipa trust-show adtest.qe --all | grep S-1-5-21-91314187-2404433721-1858927112
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-21-91314187-2404433721-1858927112, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18

[root@vm-idm-032 ~]# sleep 90 ; ssh -l "aduser1@pune.adtest.qe" $(hostname) "echo 'login successful'"
aduser1@pune.adtest.qe@vm-idm-032.steeve0312.test's password: 
login successful

[root@vm-idm-032 ~]# sleep 30 ; ssh -l "aduser1@pune.adtest.qe" $(hostname) "echo 'login successful'"
aduser1@pune.adtest.qe@vm-idm-032.steeve0312.test's password: 
login successful

Expected results:
Access should be rejected for AD user from disabled domain

Additional info:

This one should be fixed early - moving to 1.12.3.

milestone: NEEDS_TRIAGE => SSSD 1.12.3
priority: major => critical

Fields changed

patch: 0 => 1

master: 956dbef

resolution: => fixed
status: new => closed

Metadata Update from @mkosek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.12.3

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3577

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata