Bug 1335400
Summary: | In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD. | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Thorsten Scherf <tscherf> | |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | |
Status: | CLOSED ERRATA | QA Contact: | Steeve Goveas <sgoveas> | |
Severity: | high | Docs Contact: | Aneta Šteflová Petrová <apetrova> | |
Priority: | high | |||
Version: | 6.7 | CC: | apetrova, enewland, grajaiya, jhrozek, ksiddiqu, lslebodn, mkosek, mzidek, pbrezina, sumenon, tscherf | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | sssd-1.13.3-24.el6 | Doc Type: | Bug Fix | |
Doc Text: |
Users with expired or locked accounts now cannot log in to IdM clients with their SSH keys
When a trusted Active Directory (AD) user with an expired or locked user account attempted to log in to an Identity Management (IdM) client using a non-password login method, such as SSH keys, the login was successful. With this update, the IdM client checks the AD lockout attribute when verifying whether an AD user is allowed to log in. As a result, AD users with expired or locked accounts are no longer permitted to log in in this situation.
Note that this bug has no security impact: The AD user could not obtain a Kerberos ticket on the IdM client because the user account was expired or locked on the server side.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1342058 (view as bug list) | Environment: | ||
Last Closed: | 2017-03-21 09:56:12 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1342058 |
Description
Thorsten Scherf
2016-05-12 07:46:21 UTC
Disabled user on AD is no more allowed to login. Fix is seen. Verified using RHEL7.3 IPA master and RHEL6.9 IPA client ipa-server-4.4.0-14.el7_3.x86_64 sssd-1.14.0-43.el7_3.9.x86_64 ipa-client-3.0.0-51.el6.x86_64 sssd-1.13.3-46.el6.x86_64 Steps:- =====On IPA Master==== 1. Created a view. [root@master ~]# ipa idview-add view1. 2. Add user to the view. [root@master ~]# ipa idoverrideuser-add view1 user2 3. Copied the contents of id_rsa.pub created as user2 localhost login to the view1 of which the user is part. [root@master ~]#ipa idoverrideruser-mod view1 user2 --sshpubkey='ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA3sKUVkWNSkfoQiI1zK3cf+0/2+rUemzoTTyI4uWj/XJjvg4ffZXv6pKilong6xpLSc6/J6s891GMeAOMthyqLXw7H+rH+sB4rHJXbOk6NgzMjWiBDieAJIGFkgwcINeBEABAJtpFNM997DSvyGMn0aktOnkLXXP29NsBsNC6ka9MQfbMqJUBXViyUHRcJV9+79roK1Z3TtG17sp2UBBJeA3iO9nf43KTyEORkS+eusuFS6ux35fdE+3Mhw1ikftFCjT6CQHox1GmlCBJFoCKOAnMp6J/AJy2N6KTN5t7jQ6zhiFQImSyNbcS7dsx4bY3cR27SsS4QbyFET3eyFkjjQ== user2@client.testqe.test' 4. Applied the view for the client from where the login is done #ipa idview-apply --hosts=client.testrelm.test 5. Verifying view details [root@master .ssh]# kinit admin Password for admin: [root@master .ssh]# ipa idoverrideuser-find view1 -------------------------- 1 User ID override matched -------------------------- Anchor to override: user2 User login: user2 Home directory: /home/user2 SSH public key: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA3sKUVkWNSkfoQiI1zK3cf+0/2+rUemzoTTyI4uWj/XJjvg4ffZXv6pKilong6xpLSc6/J6s891GMeAOMthyqLXw7H+rH+sB4rHJXbOk6NgzMjWiBDieAJIGFkgwcINeBEABAJtpFNM997DSvyGMn0aktOnkLXXP29NsBsNC6ka9MQfbMqJUBXViyUHRcJV9+79roK1Z3TtG17sp2UBBJeA3iO9nf43KTyEORkS+eusuFS6ux35fdE+3Mhw1ikftFCjT6CQHox1GmlCBJFoCKOAnMp6J/AJy2N6KTN5t7jQ6zhiFQImSyNbcS7dsx4bY3cR27SsS4QbyFET3eyFkjjQ== user2@client.testqe.test ---------------------------- Number of entries returned 1 ---------------------------- ====On the IPA Client==== [root@client ~]# sss_ssh_authorizedkeys user2 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA3sKUVkWNSkfoQiI1zK3cf+0/2+rUemzoTTyI4uWj/XJjvg4ffZXv6pKilong6xpLSc6/J6s891GMeAOMthyqLXw7H+rH+sB4rHJXbOk6NgzMjWiBDieAJIGFkgwcINeBEABAJtpFNM997DSvyGMn0aktOnkLXXP29NsBsNC6ka9MQfbMqJUBXViyUHRcJV9+79roK1Z3TtG17sp2UBBJeA3iO9nf43KTyEORkS+eusuFS6ux35fdE+3Mhw1ikftFCjT6CQHox1GmlCBJFoCKOAnMp6J/AJy2N6KTN5t7jQ6zhiFQImSyNbcS7dsx4bY3cR27SsS4QbyFET3eyFkjjQ== user2@client.testqe.test [root@client ~]# ssh -l user2 localhost user2@localhost's password: [root@client ~]# ssh-ketgen -t rsa /home/user2/.ssh -sh-4.1$ ls -l total 12 -rw-------. 1 user2 user2 1675 Nov 25 19:56 id_rsa -rw-r--r--. 1 user2 user2 413 Nov 25 19:56 id_rsa.pub [root@client ~]# ssh -l user2 localhost user2@localhost's password: Last login: Sat Nov 26 23:29:09 2016 from localhost -sh-4.1$ ssh -l user2 master.testqe.test -o PubkeyAuthentication=yes Last login: Sat Nov 26 23:29:16 2016 from 10.76.33.237 -sh-4.2$ id uid=577602331(user2) gid=577602331(user2) groups=577602331(user2),577600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.2$ getent passwd user2 user2:*:577602331:577602331:user2:/home/pne.qe/user2: After disabling the user2 on AD domain pne.qe [root@client ~]# ssh -l user2 localhost user2@localhost's password: Permission denied, please try again. user2@localhost's password: Permission denied, please try again. user2@localhost's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). Nov 25 19:37:33 master sshd[11694]: pam_sss(sshd:auth): received for user user2: 7 (Authentication failure) Nov 25 19:37:33 master sshd[11686]: error: PAM: Authentication failure for user2 from dhcp200-237.lab.eng.pnq.redhat.com Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0632.html |