#3382 SSSD should use memberOf, not originalMemberOf to evaluate group membership for HBAC rules
Closed: Fixed a year ago by jhrozek. Opened a year ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1428906

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
In IPA-AD trust environment, sssd is intermittently failing to map AD user
group with IPA POSIX group hence getting access denied due to HBAC rules. The
issue gets resolved automatically after certain time, without restarting the
sssd service. i.e:

The IPA HBAC code used to read the group members from the the
originalMemberOf attribute value for performance reasons. However,
especially on IPA clients trusting an AD domain, the originalMemberOf
attribute value is often not synchronized correctly.

Instead of going through the work of maintaining both member/memberOf
and originalMemberOf, let's just do an ASQ search for the group names of 
the groups the user is a member of in the cache and read their
SYSBD_NAME attribute.

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1428906

a year ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1428906

a year ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.15.3

a year ago

Metadata Update from @jhrozek:
- Issue assigned to jhrozek

a year ago

Metadata Update from @jhrozek:
- Assignee reset
- Issue priority set to: critical

a year ago

Metadata Update from @jhrozek:
- Issue assigned to jhrozek

a year ago

Metadata Update from @jhrozek:
- Custom field patch adjusted to on

a year ago

I am not sure whether the same bug is also in 1.13 but the patch does not apply due to internal fq_name refactoring.

Yes, there is the same bug and I have a version of the patch that also applies on sssd-1-13 branch, but that version was mostly for testing by people who are stuck on RHEL-6 and doesn't reflect the changes requested during patch review.

So there is still some work needed, I will try to resumbit the patch soon for sssd-1-13, although at this point I would prefer to spend my time stabilizing the 7.4 RHEL release.

OK, then maybe It would be better to ticket into 1.13 milestone rahter then close it. Or to file new one for 1.13

OK, then maybe It would be better to ticket into 1.13 milestone rahter then close it. Or to file new one for 1.13

There is already backport waiting for review at https://github.com/SSSD/sssd/pull/309

So I'm closing this ticket.

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.

Metadata