#2964 GPO: Access denied after blocking connection to AD.
Closed: Fixed None Opened 4 years ago by lslebodn.

Reproducer:

  • prepare user with GPO
  • authenticate in online mode
  • block connection with firewall to AD

    iptables -F

    iptables -A INPUT -s $AD_SERVER1_IP -j DROP
    iptables -A OUTPUT -d $AD_SERVER1_IP -j DROP

  • try to authenticate with the same user.

Pam system error(4) is returned for fist try:

Feb 25 04:55:17 gs-per720-01 su: pam_sss(su:auth): authentication success; logname= uid=99 euid=0 tty=pts/7 ruser=nobody rhost= user=allow_u-15330@sssdad2012.com
Feb 25 04:55:23 gs-per720-01 su: pam_sss(su:account): Access denied for user allow_u-15330@sssdad2012.com: 4 (System error)

The second attempt works as expected.


It works as expected If I force sssd_be to go into offline mode after blocking connection pkill -USR1 sssd

Fields changed

rhbz: => todo

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.14 backlog

Fields changed

milestone: SSSD 1.14 backlog => SSSD 1.13.4
owner: somebody => lslebodn
patch: 0 => 1
status: new => assigned

master:

sssd-1-13:

resolution: => fixed
status: assigned => closed

Metadata Update from @lslebodn:
- Issue assigned to lslebodn
- Issue set to the milestone: SSSD 1.13.4

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4005

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata