Bug 1048102

Summary:	Access denied for users from gc domain when using format DOMAIN\user
Product:	Red Hat Enterprise Linux 7	Reporter:	Kaushik Banerjee <kbanerje>
Component:	sssd	Assignee:	Jakub Hrozek <jhrozek>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Kaushik Banerjee <kbanerje>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.0	CC:	dpal, grajaiya, jgalipea, lslebodn, mkosek, pbrezina
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	sssd-1.11.2-27.el7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-06-13 11:24:38 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Kaushik Banerjee 2014-01-03 07:49:58 UTC

Description of problem:


Version-Release number of selected component (if applicable):
sssd-1.11.2-18.el7

How reproducible:
Always

Steps to Reproduce:
1. Domain section of sssd.conf has:
[domain/sssdad.com]
debug_level = 0xFFF0
id_provider = ad
use_fully_qualified_names = True
access_provider = simple
full_name_format = %3$s\%1$s
simple_allow_users = SSSDAD_TREE\user1_dom2,SSSDAD\user1_dom1

2. Try to login as user1_dom1
# ssh -l SSSDAD\\user1_dom1 localhost
SSSDAD\user1_dom1@localhost's password: 
Connection closed by ::1

Domain log shows:
(Fri Jan  3 12:39:05 2014) [sssd[be[sssdad.com]]] [simple_access_check_send] (0x0200): Simple access check for user1_dom1
(Fri Jan  3 12:39:05 2014) [sssd[be[sssdad.com]]] [simple_access_check_send] (0x1000): No group restrictions, end request
(Fri Jan  3 12:39:05 2014) [sssd[be[sssdad.com]]] [simple_access_check_recv] (0x1000): Access not granted

3. Try to login as user1_dom2
# ssh -l SSSDAD_TREE\\user1_dom2 localhost
SSSDAD_TREE\user1_dom2@localhost's password: 
Last login: Fri Jan  3 12:27:57 2014 from localhost
-sh-4.2$ 

Domain log shows:
(Fri Jan  3 12:27:56 2014) [sssd[be[sssdad.com]]] [simple_access_check_send] (0x0200): Simple access check for SSSDAD_TREE\user1_dom2
(Fri Jan  3 12:27:56 2014) [sssd[be[sssdad.com]]] [simple_check_users] (0x1000): User [SSSDAD_TREE\user1_dom2] found in allow list, access granted.
(Fri Jan  3 12:27:56 2014) [sssd[be[sssdad.com]]] [simple_access_check_send] (0x1000): No group restrictions, end request
(Fri Jan  3 12:27:56 2014) [sssd[be[sssdad.com]]] [simple_access_check_recv] (0x1000): Access granted

Actual results:
Login as user1_dom1 fails

Expected results:
Login as user1_dom1 works

Additional info:

Comment 2 Jakub Hrozek 2014-01-06 12:18:01 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/2189

Comment 3 Jakub Hrozek 2014-01-15 21:57:24 UTC

Fixed upstream.

* master:
  * eb2ec2c35742caf164b49b660b5045d08cac7623
  * a620742bffad5ef92597b6a25401f6d5c217afa9 
* sssd-1-11:
  * bd95940479e731634a349b444620c12188dd23ad
  * e493c90374393745acfdecbdc5164589f6e46594

Comment 5 Kaushik Banerjee 2014-01-20 10:10:27 UTC

Verified with version 1.11.2-27.el7

Output from beaker job run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_simple_003: bz 1048102 simple_allow_users=DOMAIN1\user1,DOMAIN2\user2,CHILD1.DOMAIN1\user3
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'su_success user1_dom1 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_success user1_dom2 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_success user1_dom3.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Running 'su_permission_denied user2_dom1 Secret123' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 10s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: ad_forest_simple_003: bz 1048102 simple_allow_users=DOMAIN1\user1,DOMAIN2\user2,CHILD1.DOMAIN1\user3

Comment 6 Ludek Smid 2014-06-13 11:24:38 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.