#3979 The HBAC code requires dereference to be enabled and fails otherwise
Closed: Fixed a year ago by jhrozek. Opened a year ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1684979

Description of problem:

In some situations we recommend "ldap_deref_threshold=0" setting for sssd for
performance enhancement.

This setting when applied breaks ssh access to IdM clients, as it seems sssd's
HBAC code doesn't work when de-reference is disabled.



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. enroll a machine to and IdM domain
2. set "ldap_deref_threshold=0" in sssd.conf and restart sssd
3. try to ssh to this machine


Actual results:

SSH access fails and errors similar to the below is captured on sssd debug
logs:
~~~
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [objectClass]
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [cn]
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [fqdn]
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [serverHostname]
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [ipaSshPubKey]
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [ipaUniqueID]
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_process_result]
(0x2000): Trace: sh[0x55a082395c50], connected[1], ops[0x55a0823cfab0],
ldap[0x55a08238ae60]
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg
set
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]]
[sdap_get_generic_op_finished] (0x2000): Total count [0]
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_op_destructor]
(0x2000): Operation 28 finished
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [ipa_host_info_done]
(0x0020): Server does not support deref
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_id_op_destroy]
(0x4000): releasing operation connection
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]]
[ipa_pam_access_handler_done] (0x0020): Unable to fetch  rules [5]:
Input/output error
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [dp_req_done] (0x0400): DP
Request [PAM Account #7]: Request handler finished [0]: Success
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [_dp_req_recv] (0x0400): DP
Request [PAM Account #7]: Receiving request data.
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [dp_req_destructor]
(0x0400): DP Request [PAM Account #7]: Request removed.
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [dp_pam_reply] (0x1000): DP
Request [PAM Account #7]: Sending result [4][example.com]
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_process_result]
(0x2000): Trace: sh[0x55a082395c50], connected[1], ops[(nil)],
ldap[0x55a08238ae60]
(Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_process_result]
(0x2000): Trace: end of ldap_result list
~~~

Expected results:

SSH access works fine (honoring HBAC rules) while derefrence control is set to
zero.

Additional info:

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1684979

a year ago

Metadata Update from @jhrozek:
- Issue assigned to jhrozek

a year ago

Metadata Update from @jhrozek:
- Issue tagged with: PR, bug

a year ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.2

a year ago

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a year ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4951

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata