Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1192314
Description of problem: Default security context for users on client becomes staff_u:staff_r:staff_t:s0-s0:c0.c1023 when ipaselinuxusermapdefault is not set Version-Release number of selected component (if applicable): ipa-server-4.1.0-18.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Setup trust 2. Remove default selinux user 3. check security contest of user Actual results: On IPA Master [root@bumblebee ~]# ipa config-mod --ipaselinuxusermapdefault= [root@bumblebee ~]# ipa config-show Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: slnx2k8r2.test Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=SLNX2K8R2.TEST Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c10 23$unconfined_u:s0-s0:c0.c1023 Default PAC types: nfs:NONE, MS-PAC [root@bumblebee ~]# kdestroy -A [root@bumblebee ~]# echo Secret123| kinit au102130134@IPAAD2008R2.TEST Password for au102130134@IPAAD2008R2.TEST: [root@bumblebee ~]# ssh -l au102130134@ipaad2008r2.test `hostname` id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 On Client [root@vm-idm-033 ~]# service sssd stop; rm -rf /var/lib/sssd/{db,mc}/*; service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@vm-idm-033 ~]# kdestroy -A [root@vm-idm-033 ~]# echo Secret123| kinit au102130134@IPAAD2008R2.TEST Password for au102130134@IPAAD2008R2.TEST: [root@vm-idm-033 ~]# ssh -l au102130134@ipaad2008r2.test `hostname` id -Z staff_u:staff_r:staff_t:s0-s0:c0.c1023 Expected results: [root@vm-idm-033 ~]# ssh -l au102130134@ipaad2008r2.test `hostname` id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Fields changed
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => mark: no => 0 owner: somebody => jhrozek review: True => 0 selected: => status: new => assigned testsupdated: => 0
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=1192314 1192314] => [https://bugzilla.redhat.com/show_bug.cgi?id=1192314 1192314], [https://bugzilla.redhat.com/show_bug.cgi?id=1194302 1194302]
milestone: NEEDS_TRIAGE => SSSD 1.12.5
priority: major => critical
patch: 0 => 1
resolution: => fixed status: assigned => closed
Metadata Update from @jhrozek: - Issue assigned to jhrozek - Issue set to the milestone: SSSD 1.12.5
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3628
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.