#3331 Wrong pam return code for user from subdomain with

Created a month ago by lslebodn
Modified a day ago

SSSD configuration:

    [sssd]
    config_file_version = 2
    services = nss, pam
    domains = $AD_DOMAIN1

    [domain/$AD_DOMAIN1]
    ldap_purge_cache_timeout = 0
    krb5_auth_timeout = 12

    debug_level = 0xfff0
    id_provider = ad
    use_fully_qualified_names = True
    krb5_auth_timeout = 15
    access_provider=ad
    ad_access_filter=(cn=user1_dom1-${JOB_ID})

AD domains:

  • AD_DOMAIN1=sssdad.com
  • AD_DOMAIN2=sssdad_tree.com
  • AD_DOMAIN3=child1.sssdad.com

How to reproduce:

  1. join sssd to AD_DOMAIN1
  2. configure based on provided template
  3. authenticate with various users from all domains user1_dom1-${JOB_ID}@$AD_DOMAIN1 user2_dom1-${JOB_ID}@$AD_DOMAIN1 user1_dom2-${JOB_ID}@$AD_DOMAIN2 user1_dom3-${JOB_ID}@$AD_DOMAIN3

Expected result:
Just first user is allowed and rest will get pam error code 6 (Permission denied)

Mar 14 12:25:14 localhost su: pam_unix(su:session): session opened for user nobody by (uid=0)
Mar 14 12:25:16 localhost su: pam_sss(su:auth): authentication success; logname= uid=99 euid=0 tty=pts/6 ruser=nobody rhost= user=user1_dom1-27496@sssdad.com
Mar 14 12:25:16 localhost su: pam_unix(su:session): session opened for user user1_dom1-27496@sssdad.com by (uid=99)
Mar 14 12:25:16 localhost su: pam_unix(su:session): session closed for user user1_dom1-27496@sssdad.com
Mar 14 12:25:16 localhost su: pam_unix(su:session): session closed for user nobody
Mar 14 12:25:16 localhost su: pam_unix(su:session): session opened for user nobody by (uid=0)
Mar 14 12:25:17 localhost su: pam_sss(su:auth): authentication success; logname= uid=99 euid=0 tty=pts/6 ruser=nobody rhost= user=user2_dom1-27496@sssdad.com
Mar 14 12:25:17 localhost su: pam_sss(su:account): Access denied for user user2_dom1-27496@sssdad.com: 6 (Permission denied)
Mar 14 12:25:18 localhost su: pam_unix(su:session): session closed for user nobody
Mar 14 12:25:18 localhost su: pam_unix(su:session): session opened for user nobody by (uid=0)
Mar 14 12:25:21 localhost su: pam_sss(su:auth): authentication success; logname= uid=99 euid=0 tty=pts/6 ruser=nobody rhost= user=user1_dom2-27496@sssdad_tree.com
Mar 14 12:25:21 localhost su: pam_sss(su:account): Access denied for user user1_dom2-27496@sssdad_tree.com: 6 (Permission denied)
Mar 14 12:25:22 localhost su: pam_unix(su:session): session closed for user nobody
Mar 14 12:25:22 localhost su: pam_unix(su:session): session opened for user nobody by (uid=0)
Mar 14 12:25:25 localhost su: pam_sss(su:auth): authentication success; logname= uid=99 euid=0 tty=pts/6 ruser=nobody rhost= user=user1_dom3-27496@child1.sssdad.com
Mar 14 12:25:25 localhost su: pam_sss(su:account): Access denied for user user1_dom3-27496@child1.sssdad.com: 6 (Permission denied)
Mar 14 12:25:26 localhost su: pam_unix(su:session): session closed for user nobody

Actual result
User from AD_DOMAIN2 get pam error code: 10 (User not known to the underlying authentication module)

Mar 14 12:12:38 localhost su: pam_unix(su:session): session opened for user nobody by (uid=0)
Mar 14 12:12:40 localhost su: pam_sss(su:auth): authentication success; logname= uid=99 euid=0 tty=pts/6 ruser=nobody rhost= user=user1_dom1-27496@sssdad.com
Mar 14 12:12:40 localhost su: pam_unix(su:session): session opened for user user1_dom1-27496@sssdad.com by (uid=99)
Mar 14 12:12:40 localhost su: pam_unix(su:session): session closed for user user1_dom1-27496@sssdad.com
Mar 14 12:12:40 localhost su: pam_unix(su:session): session closed for user nobody
Mar 14 12:12:40 localhost su: pam_unix(su:session): session opened for user nobody by (uid=0)
Mar 14 12:12:41 localhost su: pam_sss(su:auth): authentication success; logname= uid=99 euid=0 tty=pts/6 ruser=nobody rhost= user=user2_dom1-27496@sssdad.com
Mar 14 12:12:41 localhost su: pam_sss(su:account): Access denied for user user2_dom1-27496@sssdad.com: 6 (Permission denied)
Mar 14 12:12:42 localhost su: pam_unix(su:session): session closed for user nobody
Mar 14 12:12:42 localhost su: pam_unix(su:session): session opened for user nobody by (uid=0)
Mar 14 12:12:44 localhost su: pam_sss(su:auth): authentication failure; logname= uid=99 euid=0 tty=pts/6 ruser=nobody rhost= user=user1_dom2-27496@sssdad_tree.com
Mar 14 12:12:44 localhost su: pam_sss(su:auth): received for user user1_dom2-27496@sssdad_tree.com: 10 (User not known to the underlying authentication module)
Mar 14 12:12:45 localhost su: pam_unix(su:session): session closed for user nobody
Mar 14 12:12:45 localhost su: pam_unix(su:session): session opened for user nobody by (uid=0)
Mar 14 12:12:48 localhost su: pam_sss(su:auth): authentication success; logname= uid=99 euid=0 tty=pts/6 ruser=nobody rhost= user=user1_dom3-27496@child1.sssdad.com
Mar 14 12:12:48 localhost su: pam_sss(su:account): Access denied for user user1_dom3-27496@child1.sssdad.com: 6 (Permission denied)
Mar 14 12:12:49 localhost su: pam_unix(su:session): session closed for user nobody
Attachments
sssd_sssdad.com.log.gz - 2017-03-14 17:01:20 Comment Download

a month ago

Metadata Update from @lslebodn:
- Custom field version adjusted to 1.15.0

Git bisect finished and here are commits

master:

  • 25699846bd1c9f8bb513b6271eb4366ab682fbd2

sssd-1-14:

  • c1f3b29fee6577714347673d717f71ab997c3006

https://pagure.io/SSSD/sssd/issue/3206

a month ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1434992

a month ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1434992

Issue linked to Bugzilla: Bug 1434992

a month ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.15.3

a month ago

Metadata Update from @jhrozek:
- Issue priority set to: blocker

a day ago

Metadata Update from @fidencio:
- Issue assigned to fidencio

Login to comment on this ticket.

1.15.0

https://bugzilla.redhat.com/show_bug.cgi?id=1434992

cancel