Bug 1203642
| Summary: | GPO access control looks for computer object in user's domain only | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Hrozek <jhrozek> | |
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | |
| Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.0 | CC: | grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mzidek, nkarandi, pbrezina, preichl, sgoveas | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | sssd-1.13.0-0.1.alpha.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1203643 (view as bug list) | Environment: | ||
| Last Closed: | 2015-11-19 11:36:44 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1203643 | |||
|
Description
Jakub Hrozek
2015-03-19 10:19:16 UTC
Pushed to master:
master:
475d986b534c5e0dfdb8e2348ab89b13fd4874aa
e2bd4f8a41b72aea0712ad21ad02ccebb707f536
d9079aa05eb8aacb488992fdce328c1abadd08d8
sssd-1-12:
b025f8a22cab47ac1f705a872917e3da0799fdd9
89a706acf3131bbe8c0aefa9c740dd44e892754f
d7efa39ab732fb034f51501cb2b1b8d3b1716979
Tested with sssd-1.13.0-39.el7.x86_64 Testcase 1: When client to joined to rootdc.com and user/gpo exist in child.rootdc.com Install sssd-1.12.2-58.el7.x86_64 1. Configure sssd to joined to rootdc.com as follows : [domain/rootdc.com] debug_level = 9 ad_domain = rootdc.com krb5_realm = ROOTDC.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad dyndns_iface = * ad_gpo_access_control = enforcing 2. Try to login with user from child domain. # ssh -l child_au.com localhost child_au.com@localhost's password: Connection closed by ::1 3. Update sssd to the fixed version. User from child domain is able to login. # ssh -l child_au.com localhost child_au.com@localhost's password: Last failed login: Tue Oct 13 15:58:20 IST 2015 from localhost on ssh:notty There was 1 failed login attempt since the last successful login. Last login: Thu Sep 24 16:39:49 2015 [child_au.com@dhcp207-223 ~]$ Testcase 2 : When client to joined to child.rootdc.com and user/gpo exist in rootdc.com 1. Downgrade to sssd-1.12.2-58.el7.x86_64, configure sssd to joined to child.rootdc.com as follows : [domain/child.rootdc.com] ad_domain = child.rootdc.com krb5_realm = CHILD.ROOTDC.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad ad_gpo_access_control = enforcing 2. Try to login with user from root domain. # ssh -l root_au localhost root_au@localhost's password: Connection closed by ::1 3. Update sssd to the fixed version sssd-1.13.0-39.el7.x86_64. User from root domain is able to login. # ssh -l root_au localhost root_au@localhost's password: Last failed login: Tue Oct 13 16:22:57 IST 2015 from localhost on ssh:notty Last login: Tue Oct 13 16:17:55 2015 from localhost [root_au@dhcp207-223 ~]$ Working as expected in both cases. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2355.html |