Bug 1172598

Summary: Access is not rejected for disabled domain
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.1CC: abokovoy, grajaiya, jcholast, jgalipea, jhrozek, kbanerje, lslebodn, mkosek, mzidek, pbrezina, preichl, rcritten, sbose, sgoveas, sssd-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.1.0-13.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1170300 Environment:
Last Closed: 2015-03-05 10:18:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1170300    
Bug Blocks:    

Description Martin Kosek 2014-12-10 12:54:29 UTC 
+++ This bug was initially created as a clone of Bug #1170300 +++

Description of problem:
This is a regression of bz1070924

Version-Release number of selected component (if applicable):
ipa-server-4.1.0-10.el7.x86_64

How reproducible:


Steps to Reproduce:
1. Setup trust with AD having a child domain
2. Disable child domain trust
3. ssh as user from child AD domain

Actual results:

[root@vm-idm-032 ~]# ssh -l "aduser1.qe" $(hostname) "echo 'login successful'"
aduser1.qe.test's password: 
login successful

[root@vm-idm-032 ~]# ipa trustdomain-disable adtest.qe pune.adtest.qe
--------------------------------------
Disabled trust domain "pune.adtest.qe"
--------------------------------------

[root@vm-idm-032 ~]# ipa trustdomain-find  adtest.qe
  Domain name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  Domain enabled: True

  Domain name: pune.adtest.qe
  Domain NetBIOS name: PUNE
  Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
  Domain enabled: False
----------------------------
Number of entries returned 2
----------------------------

[root@vm-idm-032 ~]#  ipa trust-show adtest.qe --all | grep S-1-5-21-91314187-2404433721-1858927112
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-21-91314187-2404433721-1858927112, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18

[root@vm-idm-032 ~]# sleep 90 ; ssh -l "aduser1.qe" $(hostname) "echo 'login successful'"
aduser1.qe.test's password: 
login successful

[root@vm-idm-032 ~]# sleep 30 ; ssh -l "aduser1.qe" $(hostname) "echo 'login successful'"
aduser1.qe.test's password: 
login successful

Expected results:
Access should be rejected for AD user from disabled domain

Additional info:

...

--- Additional comment from Petr Vobornik on 2014-12-04 03:51:42 EST ---

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4788
Comment 1 Martin Kosek 2014-12-10 12:55:33 UTC 
This Bugzilla is to provide better error code in this scenario (and return POLICY error to be precise)
Comment 4 Sumit Bose 2015-01-07 10:09:41 UTC 
How to test:
- disable a domain from a trusted forest
- call kinit with a principal of a user from the disabled domain (this will work because kinit will talk to the DC of the domain directly)
- try to get a Kerberos service ticket for an IPA server, e.g.
      kvno ldap/ipaserver.ipa.domain
  Older version of IPA should just show an unspecific error, while versions with the patch should show a policy error.
Comment 5 Steeve Goveas 2015-01-08 05:04:23 UTC 
Verified in version
ipa-server-4.1.0-13.el7.x86_64
sssd-ipa-1.12.2-39.el7.x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: trustdomain_cli_bz1172598: Policy error expected when access is rejected for disabled domain
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [  BEGIN   ] :: Running 'ipa trustdomain-disable adtest.qe pune.adtest.qe > /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out 2>&1'
:: [   PASS   ] :: Command 'ipa trustdomain-disable adtest.qe pune.adtest.qe > /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out 2>&1' (Expected 0, got 0)
--------------------------------------
Disabled trust domain "pune.adtest.qe"
--------------------------------------
:: [  BEGIN   ] :: Running 'kdestroy -A'
:: [   PASS   ] :: Command 'kdestroy -A' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'echo Secret123 | kinit testu1.QE'
Password for testu1.QE: 
:: [   PASS   ] :: Command 'echo Secret123 | kinit testu1.QE' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'kvno ldap/vm-idm-010.steeve2411.test > /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out 2>&1'
:: [   PASS   ] :: Command 'kvno ldap/vm-idm-010.steeve2411.test > /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out 2>&1' (Expected 1, got 1)
:: [  BEGIN   ] :: Running 'cat /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out'
kvno: KDC policy rejects request while getting credentials for ldap/vm-idm-010.steeve2411.test
:: [   PASS   ] :: Command 'cat /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out' should contain 'kvno: KDC policy rejects request while getting credentials for ldap/vm-idm-010.steeve2411.test' 
:: [  BEGIN   ] :: Running 'kdestroy -A'
:: [   PASS   ] :: Command 'kdestroy -A' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'echo Secret123 | kinit admin'
Password for admin: 
:: [   PASS   ] :: Command 'echo Secret123 | kinit admin' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa trustdomain-enable adtest.qe pune.adtest.qe > /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out 2>&1'
:: [   PASS   ] :: Command 'ipa trustdomain-enable adtest.qe pune.adtest.qe > /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out 2>&1' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'sleep 65'
:: [   PASS   ] :: Command 'sleep 65' (Expected 0, got 0)
Comment 6 Martin Kosek 2015-02-16 15:32:01 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/373a04870d6ecc99145a6267c008702ed3e24171
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/6d6e924b1fe154812d66277f55c485f210e9c32d
Comment 8 errata-xmlrpc 2015-03-05 10:18:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html