Description of problem: RHEL 5.8 x86_64 client can't authenticate users due to what seem like failed hbac lookups. IPA server: RHEL 6.3 x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 [root@ipa1 ~]# ipa hbacrule-show --all Rule name: testgroup dn: ipauniqueid=22890f82-d046-11e1-b445-005056b005e3,cn=hbac,dc=testdomain,dc=com Rule name: testgroup Source host category: all Service category: all Description: Get there users can only access get there servers Enabled: TRUE Users: marcelo Hosts: sandbox5.testdomain.com, sandbox6.testdomain.com accessruletype: allow ipauniqueid: 22890f82-d046-11e1-b445-005056b005e3 objectclass: ipaassociation, ipahbacrule Client: RHEL 5.9 x86_64 sssd-client-1.5.1-49.el5_8.1 sssd-1.5.1-49.el5_8.1 How reproducible: Always Steps to Reproduce: 1. Create a hbac rule specifying user and hosts for allowing access, any service, from any host 2. Try to login to a 5.8 redhat client 3. Fail Actual results: Connection closed by 10.14.53.11 Expected results: Being able to access the system. Additional info: Same configuration in IPA works on 6.x clients.
Created attachment 599235 [details] SSSD log, sshd login attempt transaction
Can you please raise the debug_level in the "[domain/testdomain.com]" section to 8, restart the SSSD and run your test again? This log message: ---- (Thu Jul 19 15:13:37 2012) [sssd[be[testdomain.com]]] [sdap_get_generic_done] (2): Unexpected result from ldap: Size limit exceeded(4), (null) ---- Is indicating that one of the searches performed returned more entries than a single search page allows, but without more debug info it's hard to tell which one. The default page size is 1000 entries, can you try setting it to a higher number? This debug message: --- (Thu Jul 19 15:13:37 2012) [sssd[be[testdomain.com]]] [hbac_get_rule_info_step] (1): Could not locate IPA host ---- Tells that there was an IPA host that lacks the FQDN attribute. That's quite strange, because the attribute is part of the RDN. Maybe the search results were not correct after SSSD hit the size limit. More verbose debug logs should shed more light.
Created attachment 599394 [details] sssd log, debug level 8
Increased page size to 10000 and setup debug level 8 (In reply to comment #3) > Created attachment 599394 [details] > sssd log, debug level 8
How many hosts do you have stored on your IPA server?
I have around 9000+ hosts on it and will probably need to add around the same amount of users from corporate AD. The strange thing is that this works fine in rhel 6.3 clients.
I'll set up a similarly big test environment on RHEL5 during today in order to reproduce the issue locally.
So it looks like what happened here is that he hit the upper limit on his LDAP server when trying to download the full list of hosts for srchost processing. What I think we need to do is backport the patches that disabled srchost processing in SSSD by default so that we can skip this massive lookup. A non-exhaustive list of the patches involved: * 6fb75e297bf7fc83e3db1f5ae8560624656ef319 * 74f857536411b46712f9b3dc0f1c53924b36dc02 There may be others, but these are definitely necessary.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
IPA functional HBAC tests cover the fix in RHEL 6, porting to be able to run against RHEL 5 client is completed.
Verified. Version:: sssd-1.5.1-58.el5 Manual Verification:: vm1 = RHEL6.3 MASTER vm2 = RHEL5.9 CLIENT vm3 = RHEL5.9 CLIENT [root@vm2 sssd]# yum update sssd ... Updated: sssd.x86_64 0:1.5.1-58.el5 Dependency Updated: libipa_hbac.x86_64 0:1.5.1-58.el5 sssd-client.x86_64 0:1.5.1-58.el5 Complete! [root@vm2 ~]# man sssd-ipa|cat|col -bx | grep "ipa_hbac_support_srchost.*(boolean)" ipa_hbac_support_srchost (boolean) [root@vm3 ~]# yum update sssd ... Updated: sssd.x86_64 0:1.5.1-58.el5 Dependency Updated: libipa_hbac.x86_64 0:1.5.1-58.el5 sssd-client.x86_64 0:1.5.1-58.el5 [root@vm1 ~]# ipa user-add user841677 --first=first --last=last ----------------------- Added user "user841677" ----------------------- User login: user841677 First name: first Last name: last Full name: first last Display name: first last Initials: fl Home directory: /home/user841677 GECOS field: first last Login shell: /bin/sh Kerberos principal: user841677 UID: 664600012 GID: 664600012 Password: False Kerberos keys available: False [root@vm1 ~]# ipa passwd user841677 New Password: Enter New Password again to verify: ---------------------------------------------- Changed password for "user841677" ---------------------------------------------- [root@vm1 ~]# kinit user841677 Password for user841677: Password expired. You must change it now. Enter new password: Enter it again: [root@vm1 ~]# kinit admin Password for admin: [root@vm1 ~]# ipa hbacrule-add rule841677 ---------------------------- Added HBAC rule "rule841677" ---------------------------- Rule name: rule841677 Enabled: TRUE [root@vm1 ~]# ipa hbacrule-add-service rule841677 --hbacsvcs=sshd Rule name: rule841677 Enabled: TRUE Services: sshd ------------------------- Number of members added 1 ------------------------- [root@vm1 ~]# ipa hbacrule-add-user rule841677 --users=user841677 Rule name: rule841677 Enabled: TRUE Users: user841677 Services: sshd ------------------------- Number of members added 1 ------------------------- [root@vm1 ~]# ipa hbacrule-add-host rule841677 --hosts=vm2.testrelm.com Rule name: rule841677 Enabled: TRUE Users: user841677 Hosts: vm2.testrelm.com Services: sshd ------------------------- Number of members added 1 ------------------------- [root@vm1 ~]# ipa hbacrule-add-sourcehost rule841677 --hosts=vm1.testrelm.com,vm2.testrelm.com Rule name: rule841677 Enabled: TRUE Users: user841677 Hosts: vm2.testrelm.com Source Hosts: vm1.testrelm.com, vm2.testrelm.com Services: sshd ------------------------- Number of members added 2 ------------------------- [root@vm1 ~]# ssh user841677.com "hostname" The authenticity of host 'vm2.testrelm.com (192.168.122.102)' can't be established. RSA key fingerprint is 94:d8:41:6c:cf:a8:1e:63:bb:52:d5:db:86:0f:a3:92. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'vm2.testrelm.com,192.168.122.102' (RSA) to the list of known hosts. user841677.com's password: vm2.testrelm.com [root@vm2 ~]# ssh user841677.com "hostname" user841677.com's password: vm2.testrelm.com [root@vm3 ~]# ssh user841677.com "hostname" user841677.com's password: vm2.testrelm.com # So, vm3 was not included as a srchost in the rule841677 but, the ssh was allowed from there. Thus, it looks like this passed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0047.html