Bug 1170300

Summary: Access is not rejected for disabled domain
Product: Red Hat Enterprise Linux 7 Reporter: Steeve Goveas <sgoveas>
Component: sssdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.1CC: abokovoy, grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mzidek, nsoman, ovasik, pbrezina, preichl, rcritten, sssd-maint
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.12.2-38.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1172598 (view as bug list) Environment:
Last Closed: 2015-03-05 10:34:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1172598    

Description Steeve Goveas 2014-12-03 17:53:07 UTC 
Description of problem:
This is a regression of bz1070924

Version-Release number of selected component (if applicable):
ipa-server-4.1.0-10.el7.x86_64

How reproducible:


Steps to Reproduce:
1. Setup trust with AD having a child domain
2. Disable child domain trust
3. ssh as user from child AD domain

Actual results:

[root@vm-idm-032 ~]# ssh -l "aduser1.qe" $(hostname) "echo 'login successful'"
aduser1.qe.test's password: 
login successful

[root@vm-idm-032 ~]# ipa trustdomain-disable adtest.qe pune.adtest.qe
--------------------------------------
Disabled trust domain "pune.adtest.qe"
--------------------------------------

[root@vm-idm-032 ~]# ipa trustdomain-find  adtest.qe
  Domain name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  Domain enabled: True

  Domain name: pune.adtest.qe
  Domain NetBIOS name: PUNE
  Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
  Domain enabled: False
----------------------------
Number of entries returned 2
----------------------------

[root@vm-idm-032 ~]#  ipa trust-show adtest.qe --all | grep S-1-5-21-91314187-2404433721-1858927112
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-21-91314187-2404433721-1858927112, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18

[root@vm-idm-032 ~]# sleep 90 ; ssh -l "aduser1.qe" $(hostname) "echo 'login successful'"
aduser1.qe.test's password: 
login successful

[root@vm-idm-032 ~]# sleep 30 ; ssh -l "aduser1.qe" $(hostname) "echo 'login successful'"
aduser1.qe.test's password: 
login successful

Expected results:
Access should be rejected for AD user from disabled domain

Additional info:
Comment 3 Petr Vobornik 2014-12-04 08:51:42 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4788
Comment 5 Alexander Bokovoy 2014-12-08 12:43:55 UTC 
Switching to SSSD as this is a bug in SSSD.
Comment 6 Jakub Hrozek 2014-12-11 09:03:46 UTC 
Sumit has been looking into this bug.
Comment 7 Martin Kosek 2014-12-17 08:52:04 UTC 
Upstream ticket:

https://fedorahosted.org/sssd/ticket/2535
Comment 9 Steeve Goveas 2015-01-07 09:40:28 UTC 
Verified in version
ipa-server-4.1.0-13.el7.x86_64
sssd-ipa-1.12.2-39.el7.x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: trustdomain_cli_bz1070924: Access is not rejected for disabled domain bz1070924
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 14:00:49 ] :: https://bugzilla.redhat.com/show_bug.cgi?id=1070924
:: [  BEGIN   ] :: Running 'ipa trustdomain-disable adtest.qe pune.adtest.qe > /tmp/tmp.b02bxEJFbU/tmpout.trustdomain_cli_bz1070924.out 2>&1'
:: [   PASS   ] :: Command 'ipa trustdomain-disable adtest.qe pune.adtest.qe > /tmp/tmp.b02bxEJFbU/tmpout.trustdomain_cli_bz1070924.out 2>&1' (Expected 0, got 0)
--------------------------------------
Disabled trust domain "pune.adtest.qe"
--------------------------------------
:: [  BEGIN   ] :: Running 'ipa trustdomain-find adtest.qe pune.adtest.qe | tee /tmp/tmp.b02bxEJFbU/tmpout.trustdomain_cli_bz1070924.out'
  Domain name: pune.adtest.qe
  Domain NetBIOS name: PUNE
  Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
  Domain enabled: False
----------------------------
Number of entries returned 1
----------------------------
:: [   PASS   ] :: Command 'ipa trustdomain-find adtest.qe pune.adtest.qe | tee /tmp/tmp.b02bxEJFbU/tmpout.trustdomain_cli_bz1070924.out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.b02bxEJFbU/tmpout.trustdomain_cli_bz1070924.out' should contain 'Domain name: pune.adtest.qe' 
:: [   PASS   ] :: File '/tmp/tmp.b02bxEJFbU/tmpout.trustdomain_cli_bz1070924.out' should contain 'Domain enabled: False' 
:: [  BEGIN   ] :: Running 'sleep 90'
:: [   PASS   ] :: Command 'sleep 90' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ssh_with_password testu1.qe vm-idm-033.steeve2411.test Secret123'
:: [ 14:02:23 ] :: Running: ssh -l "testu1.qe" vm-idm-033.steeve2411.test "echo 'login successful'
:: [ 14:02:54 ] :: ssh login failed
:: [  BEGIN   ] :: Running 'cat /tmp/tmpout.ssh_with_password'
spawn ssh -o StrictHostKeyChecking=no -l testu1.qe vm-idm-033.steeve2411.test echo 'login successful'
testu1.qe.test's password: 
Permission denied, please try again.

testu1.qe.test's password: :: [   PASS   ] :: Command 'cat /tmp/tmpout.ssh_with_password' (Expected 0, got 0)
:: [   PASS   ] :: Command 'ssh_with_password testu1.qe vm-idm-033.steeve2411.test Secret123' (Expected 1, got 1)
:: [  BEGIN   ] :: Running 'ipa trustdomain-enable adtest.qe pune.adtest.qe > /tmp/tmp.b02bxEJFbU/tmpout.trustdomain_cli_bz1070924.out 2>&1'
:: [   PASS   ] :: Command 'ipa trustdomain-enable adtest.qe pune.adtest.qe > /tmp/tmp.b02bxEJFbU/tmpout.trustdomain_cli_bz1070924.out 2>&1' (Expected 0, got 0)
-------------------------------------
Enabled trust domain "pune.adtest.qe"
-------------------------------------
Comment 10 Martin Kosek 2015-02-16 15:31:44 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/373a04870d6ecc99145a6267c008702ed3e24171
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/6d6e924b1fe154812d66277f55c485f210e9c32d
Comment 12 errata-xmlrpc 2015-03-05 10:34:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html