Bug 1070924
| Summary: | Access is not rejected for disabled domain | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Kosek <mkosek> |
| Component: | ipa | Assignee: | Martin Kosek <mkosek> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | rcritten, sgoveas, spoore |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-3.3.3-21.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 09:59:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Martin Kosek
2014-02-27 18:30:02 UTC
Testing, a dev patch...
looks good:
[root@rhel7-1 kdb]# cp ipadb.so ipadb.so.orig
[root@rhel7-1 kdb]# cp /root/ipadb.so .
cp: overwrite ‘./ipadb.so’? y
[root@rhel7-1 kdb]# ipactl restart
Restarting Directory Service
debugging enabled, suppressing output.
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting pki-tomcatd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
ipa: INFO: The ipactl command was successful
[root@rhel7-1 kdb]# ipa trustdomain-find ad2.example.test
Domain name: ad2.example.test
Domain NetBIOS name: AD2
Domain Security Identifier: S-1-5-21-1515602834-2930230041-3336973146
Domain enabled: True
Domain name: cdom2.ad2.example.test
Domain NetBIOS name: CDOM2
Domain Security Identifier: S-1-5-21-2684615734-2948224993-1064351119
Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------
[root@rhel7-1 kdb]# kdestroy -A
[root@rhel7-1 kdb]# kinit Administrator.EXAMPLE.TEST
Password for Administrator.EXAMPLE.TEST:
[root@rhel7-1 kdb]# kvno host/$(hostname)
host/rhel7-1.ipa1.example.test.TEST: kvno = 2
[root@rhel7-1 kdb]# ssh -o StrictHostKeyChecking=no -l Administrator.example.test $(hostname)
Could not chdir to home directory /home/cdom2.ad2.example.test/Administrator: No such file or directory
-sh-4.2$ exit
logout
Connection to rhel7-1.ipa1.example.test closed.
[root@rhel7-1 kdb]# ssh -o StrictHostKeyChecking=no -l Administrator.example.test $(hostname) echo 'login succeeded'
login succeeded
[root@rhel7-1 kdb]# ipa trustdomain-disable ad2.example.test cdom2.ad2.example.test
ipa: ERROR: cannot connect to 'any of the configured servers': https://rhel7-1.ipa1.example.test/ipa/xml, https://rhel7-2.ipa1.example.test/ipa/xml
[root@rhel7-1 kdb]# kdestroy -A
[root@rhel7-1 kdb]# kinit admin
Password for admin.TEST:
[root@rhel7-1 kdb]# ipa trustdomain-disable ad2.example.test cdom2.ad2.example.test
----------------------------------------------
Disabled trust domain "cdom2.ad2.example.test"
----------------------------------------------
[root@rhel7-1 kdb]# kdestroy -A
[root@rhel7-1 kdb]# kinit Administrator.EXAMPLE.TEST
Password for Administrator.EXAMPLE.TEST:
[root@rhel7-1 kdb]# kvno host/$(hostname)
kvno: KDC returned error string: HANDLE_AUTHDATA while getting credentials for host/rhel7-1.ipa1.example.test.TEST
[root@rhel7-1 kdb]# ssh -o StrictHostKeyChecking=no -l Administrator.example.test $(hostname) echo 'login succeeded'
Administrator.exampl.example.test's password:
Permission denied, please try again.
Administrator.exampl.example.test's password:
Permission denied, please try again.
Administrator.exampl.example.test's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
So, it's blocking user access when the domain is disabled.
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6b45ec3f31773ee7a229d5bb56675badc2d8fd55 ipa-3-3: https://fedorahosted.org/freeipa/changeset/be033fd57d818d6e90d7a4a73650bfc18d0d2c2b Coverity found an issue in this patch. Upstream patch was filed: https://fedorahosted.org/freeipa/ticket/4223 Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/4048d412f2297df6bb483c86cdb61c21a0081f35 ipa-3-3: https://fedorahosted.org/freeipa/changeset/4de37e613d61a7f921687eec053f04bc55d2f09e :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: trustdomain_cli_bz1070924: Access is not rejected for disabled domain bz1070924 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 19:38:34 ] :: https://bugzilla.redhat.com/show_bug.cgi?id=1070924 Domain name: pune.adtest.qe Domain NetBIOS name: PUNE Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112 Domain enabled: False ---------------------------- Number of entries returned 1 ---------------------------- :: [ PASS ] :: Running 'ipa trustdomain-find adtest.qe pune.adtest.qe | tee /tmp/tmp.MEfh4TzOiL/tmpout.trustdomain_cli_bz1070924.out' (Expected 0, got 0) :: [ PASS ] :: File '/tmp/tmp.MEfh4TzOiL/tmpout.trustdomain_cli_bz1070924.out' should contain 'Domain name: pune.adtest.qe' :: [ PASS ] :: File '/tmp/tmp.MEfh4TzOiL/tmpout.trustdomain_cli_bz1070924.out' should contain 'Domain enabled: False' :: [ PASS ] :: Running 'sleep 70' (Expected 0, got 0) :: [ 19:39:46 ] :: Running: ssh -l "testu1.qe" dell-pe830-01.testrelm.test "echo 'login successful' :: [ 19:40:03 ] :: ssh login failed spawn ssh -o StrictHostKeyChecking=no -l testu1.qe dell-pe830-01.testrelm.test echo 'login successful' testu1.qe.test's password: Permission denied, please try again. testu1.qe.test's password: :: [ PASS ] :: Running 'cat /tmp/tmpout.ssh_with_password' (Expected 0, got 0) :: [ PASS ] :: Running 'ssh_with_password testu1.qe dell-pe830-01.testrelm.test Secret123' (Expected 1, got 1) :: [ 19:40:04 ] :: execute expect file: /tmp/kinit.3270.exp set timeout 30 set force_conservative 0 set send_slow {1 .001} spawn /usr/bin/kinit -V admin expect Password for * send -s -- Secret123\r expect eof spawn /usr/bin/kinit -V admin SecrUsing default cache: persistent:0:0 Using principal: admin et123 Password for admin: Authenticated to Kerberos v5 Default principal: admin :: [ 19:40:05 ] :: Success: kinit as [admin] with password [Secret123] was successful. :: [ PASS ] :: Kinit as admin user (Expected 0, got 0) 'e4e250df-8325-4dfe-ad22-740b20119e75' trustdomain-cli-bz1070924 result: PASS metric: 0 Log: /var/tmp/beakerlib-19613115/journal.txt Info: Searching AVC errors produced since 1394066314.15 (Wed Mar 5 19:38:34 2014) Searching logs... Info: No AVC messages found. Writing to /mnt/testarea/tmp.O5Lf1T : AvcLog: /mnt/testarea/tmp.O5Lf1T Verified in version ipa-server-3.3.3-20.el7.x86_64 Steeve, could you please retest with ipa-3.3.3-21.el7? As I wrote in Comment 4 there was an issue reported by clang which we fixed along with a potential memory leak. Verified it with version ipa-server-3.3.3-21.el7.x86_64 * Here is the test where ssh works before disabling subdomain pune.adtest.qe Domain name: pune.adtest.qe Domain NetBIOS name: PUNE Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112 Domain enabled: True ---------------------------- Number of entries returned 1 ---------------------------- :: [ PASS ] :: Running 'ipa trustdomain-find adtest.qe pune.adtest.qe | tee /tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1052973.out' (Expected 0, got 0) :: [ PASS ] :: File '/tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1052973.out' should contain 'Domain name: pune.adtest.qe' :: [ PASS ] :: File '/tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1052973.out' should contain 'Domain enabled: True' :: [ PASS ] :: bz1052973 fixed testu1.qe:*:839001108:839001108:testu1 user:/home/pune.adtest.qe/testu1: :: [ PASS ] :: Running 'getent passwd testu1.qe' (Expected 0, got 0) :: [ 13:01:44 ] :: Running: ssh -l "testu1.qe" tyan-gt24-11.testrelm.test "echo 'login successful' :: [ 13:01:54 ] :: ssh login successful :: [ PASS ] :: Running 'ssh_with_password testu1.qe tyan-gt24-11.testrelm.test Secret123' (Expected 0, got 0) :: [ 13:01:55 ] :: execute expect file: /tmp/kinit.23224.exp set timeout 30 set force_conservative 0 set send_slow {1 .001} spawn /usr/bin/kinit -V admin expect Password for * send -s -- Secret123\r expect eof spawn /usr/bin/kinit -V admin SecreUsing default cache: persistent:0:0 Using principal: admin t123 Password for admin: Authenticated to Kerberos v5 Default principal: admin :: [ 13:01:55 ] :: Success: kinit as [admin] with password [Secret123] was successful. :: [ PASS ] :: Kinit as admin user (Expected 0, got 0) :: [ PASS ] :: Running 'ipa trustdomain-disable adtest.qe pune.adtest.qe > /tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1052973.out 2>&1' (Expected 0, got 0) -------------------------------------- Disabled trust domain "pune.adtest.qe" -------------------------------------- :: [ PASS ] :: File '/tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1052973.out' should contain 'Disabled trust domain "pune.adtest.qe"' Domain name: pune.adtest.qe Domain NetBIOS name: PUNE Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112 Domain enabled: False ---------------------------- Number of entries returned 1 ---------------------------- :: [ PASS ] :: Running 'ipa trustdomain-find adtest.qe pune.adtest.qe | tee /tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1052973.out' (Expected 0, got 0) :: [ PASS ] :: File '/tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1052973.out' should contain 'Domain name: pune.adtest.qe' :: [ PASS ] :: File '/tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1052973.out' should contain 'Domain enabled: False' * After disabling subdomain, the subdomain user is rejected access :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: trustdomain_cli_bz1070924: Access is not rejected for disabled domain bz1070924 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 13:02:02 ] :: https://bugzilla.redhat.com/show_bug.cgi?id=1070924 Domain name: pune.adtest.qe Domain NetBIOS name: PUNE Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112 Domain enabled: False ---------------------------- Number of entries returned 1 ---------------------------- :: [ PASS ] :: Running 'ipa trustdomain-find adtest.qe pune.adtest.qe | tee /tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1070924.out' (Expected 0, got 0) :: [ PASS ] :: File '/tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1070924.out' should contain 'Domain name: pune.adtest.qe' :: [ PASS ] :: File '/tmp/tmp.ntDgq7IRTe/tmpout.trustdomain_cli_bz1070924.out' should contain 'Domain enabled: False' :: [ PASS ] :: Running 'sleep 70' (Expected 0, got 0) :: [ 13:03:14 ] :: Running: ssh -l "testu1.qe" tyan-gt24-11.testrelm.test "echo 'login successful' :: [ 13:03:31 ] :: ssh login failed spawn ssh -o StrictHostKeyChecking=no -l testu1.qe tyan-gt24-11.testrelm.test echo 'login successful' testu1.qe.test's password: Permission denied, please try again. testu1.qe.test's password: :: [ PASS ] :: Running 'cat /tmp/tmpout.ssh_with_password' (Expected 0, got 0) :: [ PASS ] :: Running 'ssh_with_password testu1.qe tyan-gt24-11.testrelm.test Secret123' (Expected 1, got 1) :: [ 13:03:31 ] :: execute expect file: /tmp/kinit.15432.exp set timeout 30 set force_conservative 0 set send_slow {1 .001} spawn /usr/bin/kinit -V admin expect Password for * send -s -- Secret123\r expect eof spawn /usr/bin/kinit -V admin SecrUsing default cache: persistent:0:0 Using principal: admin et123 Password for admin: Authenticated to Kerberos v5 Default principal: admin :: [ 13:03:32 ] :: Success: kinit as [admin] with password [Secret123] was successful. :: [ PASS ] :: Kinit as admin user (Expected 0, got 0) '3527f4ae-0d5a-4069-be31-64f4b5b7186f' trustdomain-cli-bz1070924 result: PASS metric: 0 Log: /var/tmp/beakerlib-19633121/journal.txt Info: Searching AVC errors produced since 1394128922.63 (Thu Mar 6 13:02:02 2014) Searching logs... Info: No AVC messages found. Writing to /mnt/testarea/tmp.BzxdNy : AvcLog: /mnt/testarea/tmp.BzxdNy This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |