#2535 Access is not rejected for disabled domain
Closed: Fixed None Opened 4 years ago by mkosek.

This is a clone for Bug 1170300.

Description of problem:
This is a regression of bz1070924

Version-Release number of selected component (if applicable):
ipa-server-4.1.0-10.el7.x86_64

How reproducible:


Steps to Reproduce:
1. Setup trust with AD having a child domain
2. Disable child domain trust
3. ssh as user from child AD domain

Actual results:

[root@vm-idm-032 ~]# ssh -l "aduser1@pune.adtest.qe" $(hostname) "echo 'login successful'"
aduser1@pune.adtest.qe@vm-idm-032.steeve0312.test's password: 
login successful

[root@vm-idm-032 ~]# ipa trustdomain-disable adtest.qe pune.adtest.qe
--------------------------------------
Disabled trust domain "pune.adtest.qe"
--------------------------------------

[root@vm-idm-032 ~]# ipa trustdomain-find  adtest.qe
  Domain name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  Domain enabled: True

  Domain name: pune.adtest.qe
  Domain NetBIOS name: PUNE
  Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
  Domain enabled: False
----------------------------
Number of entries returned 2
----------------------------

[root@vm-idm-032 ~]#  ipa trust-show adtest.qe --all | grep S-1-5-21-91314187-2404433721-1858927112
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-21-91314187-2404433721-1858927112, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18

[root@vm-idm-032 ~]# sleep 90 ; ssh -l "aduser1@pune.adtest.qe" $(hostname) "echo 'login successful'"
aduser1@pune.adtest.qe@vm-idm-032.steeve0312.test's password: 
login successful

[root@vm-idm-032 ~]# sleep 30 ; ssh -l "aduser1@pune.adtest.qe" $(hostname) "echo 'login successful'"
aduser1@pune.adtest.qe@vm-idm-032.steeve0312.test's password: 
login successful

Expected results:
Access should be rejected for AD user from disabled domain

Additional info:

This one should be fixed early - moving to 1.12.3.

milestone: NEEDS_TRIAGE => SSSD 1.12.3
priority: major => critical

Fields changed

patch: 0 => 1

master: 956dbef

resolution: => fixed
status: new => closed

Metadata Update from @mkosek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.12.3

2 years ago

Login to comment on this ticket.

Metadata