#2927 In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.
Closed: Fixed None Opened 4 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1296902

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
In IPA-AD trust environment disabling the AD user, access is denied as expected
when the AD user logs in through SSH using password. However, access is still
granted when AD user logs in using SSH public keys.


Version-Release number of selected component (if applicable):
-


How reproducible:
Always.

Steps to Reproduce:
1] Configure trust between IPA and AD domain.
2] Generate ssh keys using ssh-keygen for AD user on client system and copy it
over.
3] Disable AD user on Active Directory.
4] AD user can login to the system using ssh key and below logs are getting
reported on the system during that time. For eg:

-----
-sh-4.1$ hostname
rhel6u7-2.gsslab.pnq2.redhat.com
-sh-4.1$ hostname
rhel6u7-2.gsslab.pnq2.redhat.com
-sh-4.1$ id
uid=1435801109(chinmay@gsslab.rdu2.redhat.com)
gid=1435801109(chinmay@gsslab.rdu2.redhat.com)
groups=1435801109(chinmay@gsslab.rdu2.redhat.com),1435800513(domain
users@gsslab.rdu2.redhat.com)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ ssh chinmay@gsslab.rdu2.redhat.com@rhel6u6-1.gsslab.pnq2.redhat.com
Last login: Thu Jan  7 12:40:25 2016 from rhel6u7-2.gsslab.pnq2.redhat.com
-sh-4.1$ hostname
rhel6u6-1.gsslab.pnq2.redhat.com
-sh-4.1$ pwd
/home/gsslab.rdu2.redhat.com/chinmay

Secure logs:

Jan  7 13:41:58 rhel6u6-1 sshd[2826]: Accepted publickey for
chinmay@gsslab.rdu2.redhat.com from 10.74.133.184 port 56718 ssh2
Jan  7 13:41:58 rhel6u6-1 sshd[2826]: pam_unix(sshd:session): session opened
for user chinmay@gsslab.rdu2.redhat.com by (uid=0)
-----

5] Access is getting denied as expected when using password.

-----
-sh-4.1$ hostname
rhel6u6-1.gsslab.pnq2.redhat.com
-sh-4.1$ pwd
/home/gsslab.rdu2.redhat.com/chinmay
-sh-4.1$ exit
logout
Connection to rhel6u6-1.gsslab.pnq2.redhat.com closed.
-sh-4.1$ hostname
rhel6u7-2.gsslab.pnq2.redhat.com
-sh-4.1$ id
uid=1435801109(chinmay@gsslab.rdu2.redhat.com)
gid=1435801109(chinmay@gsslab.rdu2.redhat.com)
groups=1435801109(chinmay@gsslab.rdu2.redhat.com),1435800513(domain
users@gsslab.rdu2.redhat.com)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ ssh chinmay@gsslab.rdu2.redhat.com@rhel6u6-1.gsslab.pnq2.redhat.com -o
PubkeyAuthentication=no
chinmay@gsslab.rdu2.redhat.com@rhel6u6-1.gsslab.pnq2.redhat.com's password:
Permission denied, please try again.


Secure logs:

Jan  7 13:45:50 rhel6u6-1 sshd[2857]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=rhel6u7-2.gsslab.pnq2.redhat.com  user=chinmay@gsslab.rdu2.redhat.com
Jan  7 13:45:50 rhel6u6-1 sshd[2857]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=rhel6u7-2.gsslab.pnq2.redhat.com user=chinmay@gsslab.rdu2.redhat.com
Jan  7 13:45:50 rhel6u6-1 sshd[2857]: pam_sss(sshd:auth): received for user
chinmay@gsslab.rdu2.redhat.com: 13 (User account has expired)
Jan  7 13:45:52 rhel6u6-1 sshd[2857]: Failed password for
chinmay@gsslab.rdu2.redhat.com from 10.74.133.184 port 56719 ssh2
-----

Actual results:
AD user is able to login on client systems using the SSH public keys even if
the user is disabled on AD.

Expected results:
Access should be denied for AD user as it is disabled.

Additional info:
I also configured two systems as an AD client using sssd and AD user is denied
as expected when the user is disabled on AD and login to the client system
using ssh public key as well as password. It seems ipa-client-install script
modifies the sshd configuration files and enables ssh public key authentication
on IPA client systems.

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
review: True => 0
selected: =>
testsupdated: => 0
version: => 1.13.3

Since this bug hits a deployment, chances are we will backport the ticket to 1.13, too, but let's start with 1.14 until the fix is known.

milestone: NEEDS_TRIAGE => SSSD 1.14 alpha

We need to change the PAC processing to happen in the back end first. Then we should re-test this ticket and see if it's still valid and what steps need to be taken further.

milestone: SSSD 1.14 alpha => SSSD 1.14 backlog

Fields changed

milestone: SSSD 1.14 backlog => SSSD 1.14 alpha
owner: somebody => jhrozek
patch: 0 => 1
status: new => assigned

resolution: => fixed
status: assigned => closed

Fields changed

milestone: SSSD 1.14 alpha => SSSD 1.13.5

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.13.5

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3968

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata