Bug 1342058

Summary: In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.
Product: Red Hat Enterprise Linux 6 Reporter: Marcel Kolaja <mkolaja>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Steeve Goveas <sgoveas>
Severity: high Docs Contact:
Priority: high    
Version: 6.7CC: enewland, grajaiya, jhrozek, ksiddiqu, lslebodn, mkosek, mzidek, pbrezina, sssd-maint, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.13.3-22.el6_8.3 Doc Type: Bug Fix
Doc Text:
If an Active Directory (AD) user with a disabled user account attempts to log in, Identity Management (IdM) is expected to deny access. Previously, the login attempt succeeded when the user used a login method other than the standard password login, such as an SSH key. To fix this problem, IdM no longer checks only the IdM-specific account lockout attributes, but also the AD lockout attributes. As a result, an AD user with a disabled user account is no longer permitted to log in with an SSH key.
 Story Points: ---
Clone Of: 1335400 Environment:
Last Closed: 2016-07-12 18:36:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1335400    
Bug Blocks:    

Description Marcel Kolaja 2016-06-02 11:07:49 UTC 
This bug has been copied from bug #1335400 and has been proposed
to be backported to 6.8 z-stream (EUS).
Comment 4 Kaleem 2016-07-04 10:39:10 UTC 
Verified.

[root@dhcp207-58 ~]# rpm -q sssd
sssd-1.13.3-22.el6_8.4.x86_64
[root@dhcp207-58 ~]# 

Snip from console output.
=========================
[root@dhcp207-58 ~]# ssh -i /home/ipaad2012r2.test/aduser1/.ssh/id_rsa aduser1@dhcp207-62.testrelm.test
Connection closed by UNKNOWN
[root@dhcp207-58 ~]# ldapsearch -x -h  x.x.x.x -D "Administrator" -W -b "cn=Aduser1 user,cn=users,dc=ipaad2012r2,dc=test" -s sub "userAccountControl"
Enter LDAP Password: 
....
.....
# Aduser1 user, Users, ipaad2012r2.test
dn: CN=Aduser1 user,CN=Users,DC=ipaad2012r2,DC=test
userAccountControl: 66050

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@dhcp207-58 ~]#
Comment 7 errata-xmlrpc 2016-07-12 18:36:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1407