Bug 1000005

Summary: [RFE] Cannot allow/deny users, groups from other trusted domains using "realm permit <user@domain>"
Product: Red Hat Enterprise Linux 7 Reporter: Kaushik Banerjee <kbanerje>
Component: realmdAssignee: Stef Walter <stefw>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: ebenes, jhrozek, pkis
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 1163781 (view as bug list) Environment:
Last Closed: 2015-04-14 10:15:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1163781    

Description Kaushik Banerjee 2013-08-22 13:52:17 UTC 
Description of problem:
In case of trusted domains, realmd fails to validate all the trusted domains.

Version-Release number of selected component (if applicable):
realmd-0.14.5-1.el7

How reproducible:
Always

Steps to Reproduce:
1. Join to an AD domain sssdad.com via realmd
2. Now try to permit an user from another trusted domain sssdad1.com

# realm permit abcd
See: journalctl REALMD_OPERATION=r2005410.20779
realm: Couldn't change permitted logins: Invalid login argument 'abcd' does not match the login format.


Actual results:
realmd fails to permit the user from the trusted domain

Expected results:
realmd should relax domain validation, and should permit users from other domains.

Additional info:
Comment 2 Jakub Hrozek 2013-08-22 15:52:18 UTC 
The trusted domains are discovered on the fly, so currently I don't see a way of validating them. Maybe there could be a switch for realm permit that would override the check?
Comment 3 Stef Walter 2013-08-26 13:24:57 UTC 
(In reply to Jakub Hrozek from comment #2)
> The trusted domains are discovered on the fly, so currently I don't see a
> way of validating them. Maybe there could be a switch for realm permit that
> would override the check?

Does sssd allow use of trusted domains in the simple allow/deny config lines? If so, in which version of sssd was this added? I remember us discussing it, but must have missed the resolution.

In my opinion, this point we should bump this to RHEL 7.1 (or later). This is (or was until recently) a fundamental limitation of sssd.
Comment 4 Jakub Hrozek 2013-08-26 13:42:01 UTC 
Not at the moment, the simple provider didn't even support FQDNs at all until recently.

We'll be adding subdomain support in time for 7.0. But I agree this realmd RFE is not critical for 7.0.
Comment 5 RHEL Program Management 2015-04-14 10:15:56 UTC 
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.