#4078 Trusted domain user logins succeed after using ipa trustdomain-disable
Closed: Fixed 2 years ago by pbrezina. Opened 2 years ago by sbose.

Ticket was cloned from Red Hat Bugzilla: Bug 1530741

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
I am unsure if this is a IPA, SSSD, or documentation bug but in an IPA - AD
Trust environment disabling a trusted AD domain with 'ipa trustdomain-disable'
does not prevent trusted AD users from logging in with SSSD.

If this is expected behavior, please clarify the use of 'ipa
trustdomain-disable' for Red Hat customers. From the ipa help, it is not
exactly clear what this means - 'Disable use of IPA resources by the domain of
the trust'

Also, ideally SSSD would ignore these disabled domains to improve non-cached
lookup speed/performance of AD objects in environments with many domains.

The current behavior end-result is that customers are disabling domains they do
not need to resolve AD objects from, but it is not making any noticeable
changes  unless the trusted domains are removed completely with 'ipa
trustdomain-del'.

Version-Release number of selected component (if applicable):
IPA Server 4.5
SSSD 1.15

How reproducible:
Always

Steps to Reproduce:
1. Disable trusted AD domain with ipa trustdomain-disable
2. Restart SSSD and clear SSSD cache
3. Attempt to login with trusted AD domain user

Actual results:
Login succeeds

Expected results:
Would expect login to fail

Additional info:
This impacts customers establishing IPA - AD trusts with AD forest root
containing a large number of domains

Metadata Update from @sbose:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1530741

2 years ago

Metadata Update from @sbose:
- Issue assigned to sbose

2 years ago

Metadata Update from @sbose:
- Custom field patch adjusted to on

2 years ago

Commit fa3e53b relates to this ticket

Commit b12e7a4 relates to this ticket

Commit 13297b8 relates to this ticket

Commit 3c871a3 relates to this ticket

Commit 2e16148 relates to this ticket

  • master
    • fa3e53b - ipa: delete content of disabled domains
    • b12e7a4 - sysdb: add sysdb_subdomain_content_delete()
    • 13297b8 - ipa: ignore objects from disabled domains on the client
    • 3c871a3 - ipa: support disabled domains
    • 2e16148 - utils: extend some find_domain_* calls to search disabled domain
  • sssd-1-16
    • 124957a - ipa: delete content of disabled domains
    • a9f03f0 - sysdb: add sysdb_subdomain_content_delete()
    • cc42fe7 - ipa: ignore objects from disabled domains on the client
    • 698e27d - ipa: support disabled domains
    • 2ea937a - utils: extend some find_domain_* calls to search disabled domain

Metadata Update from @pbrezina:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Commit 13297b8 relates to this ticket

This commit introduces coverity error (compiler warning):

Error: COMPILER_WARNING:
sssd-2.2.3/src/providers/ipa/ipa_s2n_exop.c: scope_hint: In function 's2n_response_to_attrs'
sssd-2.2.3/src/providers/ipa/ipa_s2n_exop.c:665:20: warning: 'gc' may be used uninitialized in this function [-Wmaybe-uninitialized]
#     attrs->ngroups = gc;
#     ~~~~~~~~~~~~~~~^~~~
sssd-2.2.3/src/providers/ipa/ipa_s2n_exop.c:566:15: note: 'gc' was declared here
#     size_t c, gc;
#               ^~
#  663|           }
#  664|       }
#  665|->     attrs->ngroups = gc;
#  666|   
#  667|       tag = ber_peek_tag(ber, &ber_len);

Metadata Update from @atikhonov:
- Issue status updated to: Open (was: Closed)

2 years ago

@atikhonov, thanks, would you like to send a PR to fix this?

@atikhonov, thanks, would you like to send a PR to fix this?

PR: https://github.com/SSSD/sssd/pull/890

Commit 39e16cc relates to this ticket

  • master
    • 39e16cc - providers/ipa/: add_v1_user_data() amended
  • sssd-1-16
    • e294f73 - providers/ipa/: add_v1_user_data() amended

Metadata Update from @pbrezina:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/5044

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata