Bug 1202245

Summary: SSSD's HBAC processing is not permissive enough with broken replication entries
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.2CC: akasurde, grajaiya, ipa-maint, jgalipea, jhrozek, lslebodn, mkosek, mzidek, nsoman, pbrezina, preichl, pwayper, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.13.0-0.1.alpha.el7 Doc Type: Bug Fix
Doc Text:
Cause: When IPA replication was having issues, replication conflict entries (using nsUniqueID as one value of multi-valued RDN) appeared in the directory. SSSD couldn't handle unexpected format of RDNs Consequence: If these replication conflict entries appeared during HBAC processing, the user was denied access. Fix: The replication conflict entries were skipped Result: Users are permitted access even if eplication conflict entries appeared during HBAC processing
 Story Points: ---
Clone Of: 1201974 Environment:
Last Closed: 2015-11-19 11:36:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1201974    
Bug Blocks: 1205796    

Comment 1 Jakub Hrozek 2015-03-16 08:31:08 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2603
Comment 3 Jakub Hrozek 2015-03-16 12:15:14 UTC 
*** Bug 1201977 has been marked as a duplicate of this bug. ***
Comment 4 Jakub Hrozek 2015-03-24 20:58:38 UTC 
Fixed upstream:
    master:
        6dff95bdfe437afc0b62b5270d0d84140981c786
        fdfe33975cd902bf7a334e49f2667f6346c4e6ae
        c41ae115bfa808d04e729dcbd759d8aae8387ce7
        64d8e2df816323a004bf6e7e9d05ba373b9e033d
        1243e093fd31c5660adf1bb3dd477d6935a755be 
    sssd-1-12:
        010c1c605cfcd2879a6f91ba61ea8db53aa4c5ae
        4df47543690a8b185d04ca6a0270e231e4491e6d
        a7c2e661a9bedd114941c9d5f33d20b70c18e878
        319f9710185929186778814b48f2227359d4f8f4
Comment 6 Abhijeet Kasurde 2015-10-07 10:25:50 UTC 
Verifying Sanity only

 +-----------------------------[RPMs & OS: [RedHat - x86_64]-----------------------------+
|       ipa-admintools-4.2.0-12.el7.x86_64
|       ipa-client-4.2.0-12.el7.x86_64
|       ipa-server-4.2.0-12.el7.x86_64
|       ipa-server-dns-4.2.0-12.el7.x86_64
|       ipa-tests-ipa-server-rhel72-ipa-hbac-func-ksiddiqu-20150813111707.b8ddea8-0.noarch
|       ipa-tests-ipa-server-rhel72-quickinstall-20150821100514-0.noarch
|       ipa-tests-ipa-server-rhel72-shared-20150930150523-0.noarch
|       sssd-ipa-1.13.0-36.el7.x86_64
------------------------------------------------------------------------------------------

 +-----------------------------------------------------------------------------------------+
     Test:[/ipa-server/rhel72/ipa-hbac-func/root]: [ Pass(51/51): 100% ] 
 +-----------------------------------------------------------------------------------------+
:: [   PASS   ]   ipa-hbacsvc-func: Setup of users
:: [   PASS   ]   MASTER tests start
:: [   PASS   ]   ipa-hbacsvc-001: user1 part of rule1 is allowed to access CLIENT from CLIENT - SSHD Service
:: [   PASS   ]   ipa-hbacsvc-002: user1 part of rule1 is allowed to access MASTER from CLIENT2 - FTP Service
:: [   PASS   ]   ipa-hbacsvc-002_1: vsftpd service removed from rule1 which was allowed to access MASTER from CLIENT2 - FTP Service
:: [   PASS   ]   ipa-hbacsvc-003: user3 part of rule3 with default ftp svcgrp is allowed to access MASTER from CLIENT2
:: [   PASS   ]   ipa-hbacsvc-004: user4 part of rule4 is allowed to access hostgroup from CLIENT
:: [   PASS   ]   ipa-hbacsvc-005: user5 part of rule5 is allowed to access CLIENT from hostgroup
:: [   PASS   ]   ipa-hbacsvc-005_1: user5 is removed from rule5
:: [   PASS   ]   ipa-hbacsvc-006: user6 part of rule6 is allowed to access hostgroup from hostgroup2
:: [   PASS   ]   ipa-hbacsvc-007: user7 part of rule7 is allowed to access hostgroup from hostgroup2 with hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-007_1: user7 is removed from rule7 which was allowed to access hostgroup from hostgroup2 with hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-008: user8 from grp8 part of rule8 is allowed to access CLIENT2 from CLIENT
:: [   PASS   ]   ipa-hbacsvc-008_1: grp8 removed from rule8 which was allowed to access CLIENT2 from CLIENT
:: [   PASS   ]   ipa-hbacsvc-009: user9 from grp9 part of rule9 is allowed to access CLIENT2 from CLIENT - hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-009_1: grp9 removed from rule9 which was allowed to access CLIENT2 from CLIENT - hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-010: user10 from grp10 part of rule10 is allowed to access hostgrp from CLIENT
:: [   PASS   ]   ipa-hbacsvc-011: user11 from grp11 part of rule11 is allowed to access CLIENT2 from hostgrp - hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-011_1: sshd service group removed from rule11 which was allowed to access CLIENT2 from hostgrp - hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-012: user12 from grp12 part of rule12 is allowed to access CLIENT2 from hostgrp - hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-013: user13 from grp13 part of rule13 is allowed to access hostgrp from hostgrp2
:: [   PASS   ]   ipa-hbacsvc-014: user14 from grp14 part of rule14 is allowed to access hostgrp from hostgrp2 - hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-015: user15 from nestgrp15 part of rule15 is allowed to access CLIENT from CLIENT2
:: [   PASS   ]   ipa-hbacsvc-015_1: user15 removed from rule15 which was allowed to access CLIENT from CLIENT2
:: [   PASS   ]   ipa-hbacsvc-016: user16 from nestgrp16 part of rule16 is allowed to access CLIENT from CLIENT2 - hbacsvcgroup
:: [   PASS   ]   ipa-hbacsvc-016_1: user16 removed from rule16 which was allowed to access CLIENT from CLIENT2 - hbacsvcgroup
:: [   PASS   ]   ipa-hbacsvc-017: user17 from nestgrp17 part of rule17 is allowed to access host from hostgrp2
:: [   PASS   ]   ipa-hbacsvc-018: user18 from nestgrp18 part of rule18 is allowed to access host from hostgrp2 - hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-019: user19 from nestgrp19 part of rule19 is allowed to access hostgrp from hostgrp2
:: [   PASS   ]   ipa-hbacsvc-020: user20 from nestgrp20 part of rule20 is allowed to access hostgrp from hostgrp2 - hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-020_1: hbac rule20 is removed.
:: [   PASS   ]   ipa-hbacsvc-021: user21 part of rule21 is allowed to access CLIENT from EXT_HOST
:: [   PASS   ]   ipa-hbacsvc-023: user23 part of group23 is allowed to access CLIENT2 from EXT_HOST2
:: [   PASS   ]   ipa-hbacsvc-025: user25 part of group25 is allowed to access CLIENT from EXT_HOST2
:: [   PASS   ]   ipa-hbacsvc-027: user27 part of rule27 is allowed to access CLIENT from CLIENT2 with empty hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-028: user28 part of rule28 is allowed to access CLIENT from CLIENT2 with incorrect hbacsvc
:: [   PASS   ]   ipa-hbacsvc-029: user29 part of rule29 is allowed to access CLIENT from CLIENT2 with empty group
:: [   PASS   ]   ipa-hbacsvc-030: user30 part of rule30 is allowed to access CLIENT from CLIENT2 with empty netgroup
:: [   PASS   ]   ipa-hbacsvc-031: user31 part of UTF-8 is allowed to access CLIENT from CLIENT - SSHD Service
:: [   PASS   ]   ipa-hbacsvc-033: Offline client caching for enabled default HBAC rule
:: [   PASS   ]   ipa-hbacsvc-034: Offline client caching for disabled default HBAC rule
:: [   PASS   ]   ipa-hbacsvc-035: Offline client caching for custom HBAC rule
:: [   PASS   ]   ipa-hbacsvc-bugzila-001: bz736314 user736314 part of rule736314 is allowed to access MASTER from CLIENT
:: [   PASS   ]   ipa-hbacsvc-bugzilla-004: bz782927 Test sizelimit option to hbactest
:: [   PASS   ]   ipa-hbacsvc-bugzilla-005: bz772852 Unresolved rules in rules error message is displayed even if the hbacrule is specified using the rules option.
:: [   PASS   ]   ipa-hbacsvc-bugzilla-006: bz766876 RFE Make HBAC srchost processing optional - Case 1
:: [   PASS   ]   ipa-hbacsvc-bugzilla-009: bz766876 RFE Make HBAC srchost processing optional - Case 2
:: [   PASS   ]   ipa-hbacsvc-bugzilla-012: bz801769 - hbactest returns failure when hostgroups are chained
:: [   PASS   ]   ipa-hbacsvc-bugzilla-013: bz771706 sssd_be crashes during auth when there exists empty service group or hostgroup in an hbacrule.
:: [   PASS   ]   ipa-hbacrule-func-cleanup: Destroying admin credentials.
:: [   PASS   ]   /ipa-server/rhel72/ipa-hbac-func/root

 +----------------------------------------------------------------------+
                    Fail / unfinished / ABORT [ Fail(0/51): 0% ]
 +----------------------------------------------------------------------+



=========================== end of report [/tmp/tmp.cBa2qUEMkr/rhts.report.5316.txt]===============================
original rlJournalPrintText body saved as [/tmp/rhts.original.8536.txt]
Comment 7 errata-xmlrpc 2015-11-19 11:36:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html