Bug 1435718

Summary: As a ID user I cannot call a command with --rights option
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Sudhir Menon <sumenon>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.4CC: nsoman, pvoborni, rcritten, sumenon, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-3.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:46:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Vobornik 2017-03-24 15:18:04 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/6797

Description:
As an ID user I try to call command i.e. (ipa config-show --rights or ipa idoverrideuser-show "id view" user ) and I get "ipa: ERROR: no matching entry found". So getting effective rights does not work for AD users. The problem is in CLI and also during performing API calls. 

Steps to reproduce:
1. Install FreeIPA and AD server
2. Establish trust between those two machines
3. kinit as AD user or Administrator (# kinit Administrator)
4. try to run any command with --rights options ($ ipa config-show --rights --all)
5. "ipa: ERROR: no matching entry found" is shown

Expected result:
Get entry with effective rights.

The following traceback is taken from /var/log/httpd/error_log, with "debug = True" set in /etc/ipa/default.conf and performing:
 $ ipa idoverrideuser-show "Default Trust View" Administrator --rights

```console
0x7fde76f0ae18>
[Wed Mar 22 10:27:51.943448 2017] [wsgi:error] [pid 36695] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last):
[Wed Mar 22 10:27:51.943480 2017] [wsgi:error] [pid 36695]   File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute
[Wed Mar 22 10:27:51.943485 2017] [wsgi:error] [pid 36695]     result = command(*args, **options)
[Wed Mar 22 10:27:51.943489 2017] [wsgi:error] [pid 36695]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 447, in __call__
[Wed Mar 22 10:27:51.943493 2017] [wsgi:error] [pid 36695]     return self.__do_call(*args, **options)
[Wed Mar 22 10:27:51.943504 2017] [wsgi:error] [pid 36695]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 475, in __do_call
[Wed Mar 22 10:27:51.943508 2017] [wsgi:error] [pid 36695]     ret = self.run(*args, **options)
[Wed Mar 22 10:27:51.943511 2017] [wsgi:error] [pid 36695]   File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 797, in run
[Wed Mar 22 10:27:51.943515 2017] [wsgi:error] [pid 36695]     return self.execute(*args, **options)
[Wed Mar 22 10:27:51.943519 2017] [wsgi:error] [pid 36695]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1327, in execute
[Wed Mar 22 10:27:51.943522 2017] [wsgi:error] [pid 36695]     ldap, entry_attrs.dn)
[Wed Mar 22 10:27:51.943526 2017] [wsgi:error] [pid 36695]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 212, in get_effective_rights
[Wed Mar 22 10:27:51.943530 2017] [wsgi:error] [pid 36695]     rights = ldap.get_effective_rights(dn, attrs)
[Wed Mar 22 10:27:51.943533 2017] [wsgi:error] [pid 36695]   File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 291, in get_effective_rights
[Wed Mar 22 10:27:51.943537 2017] [wsgi:error] [pid 36695]     "krbPrincipalAux", base_dn=self.api.env.basedn)
[Wed Mar 22 10:27:51.943540 2017] [wsgi:error] [pid 36695]   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1469, in find_entry_by_attr
[Wed Mar 22 10:27:51.943544 2017] [wsgi:error] [pid 36695]     base_dn, filter=filter, attrs_list=attrs_list)
[Wed Mar 22 10:27:51.943547 2017] [wsgi:error] [pid 36695]   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1317, in get_entries
[Wed Mar 22 10:27:51.943551 2017] [wsgi:error] [pid 36695]     **kwargs)
[Wed Mar 22 10:27:51.943555 2017] [wsgi:error] [pid 36695]   File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1448, in find_entries
[Wed Mar 22 10:27:51.943558 2017] [wsgi:error] [pid 36695]     raise errors.EmptyResult(reason='no matching entry found')
[Wed Mar 22 10:27:51.943562 2017] [wsgi:error] [pid 36695] EmptyResult: no matching entry found
[Wed Mar 22 10:27:51.943565 2017] [wsgi:error] [pid 36695] 
```
Comment 2 Petr Vobornik 2017-03-24 15:18:18 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6797
Comment 3 Petr Vobornik 2017-03-24 15:19:24 UTC 
This is a prerequisite for self-service Web UI for AD users work.
Comment 4 Petr Vobornik 2017-03-24 15:37:13 UTC 
ipa-4-5:

    7d48fb841a23e9f036f3d449d80623d1225c820a ldap2: use LDAP whoami operation to retrieve bind DN for current connection
    master:

    7324451834ec03786fda947679f750fe2a72f29c ldap2: use LDAP whoami operation to retrieve bind DN for current connection
Comment 6 Sudhir Menon 2017-05-26 09:38:40 UTC 
Tested on RHEL7.4

ipa-server-4.5.0-13.el7.x86_64
krb5-server-1.15.1-8.el7.x86_64
pki-server-10.4.1-6.el7.noarch
389-ds-base-1.3.6.1-15.el7.x86_64
sssd-1.15.2-35.el7.x86_64
selinux-policy-3.13.1-152.el7.noarch

1. Establish trust with AD
2. Add override for trusted aduser to default trust view.
#ipa iduseroverride-add "default trust view" aduser2
3. [root@autohv01 ~]# echo **** | kinit aduser2
Password for aduser2: 
[root@autohv01 ~]# klist -l
Principal name                 Cache name
--------------                 ----------
aduser2                 KEYRING:persistent:0:krb_ccache_9Fc3Eqa

4. [root@autohv01 ~]# ipa config-show --rights --all
  dn: cn=ipaConfig,cn=etc,dc=testrelm,dc=test
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.TEST
  Default group objectclasses: top, groupofnames, nestedgroup, ipausergroup, ipaobject
  Default user objectclasses: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  IPA masters: 
  IPA CA servers: 
  IPA NTP servers: 
  attributelevelrights: {u'cn': u'rsc', u'ipauserauthtype': u'rsc', u'ipadefaultprimarygroup': u'rsc', u'ipapwdexpadvnotify': u'rsc', u'ipasearchtimelimit': u'rsc', u'ipacustomfields': u'rsc', u'ipasearchrecordslimit': u'rsc', u'nsaccountlock': u'', u'ipausersearchfields': u'rsc', u'ipadefaultloginshell': u'rsc', u'ipacertificatesubjectbase': u'rsc', u'ipadomainresolutionorder': u'rsc', u'ipaconfigstring': u'rsc', u'ipakrbauthzdata': u'rsc', u'ipauserobjectclasses': u'rsc', u'ipagroupsearchfields': u'rsc', u'ipadefaultemaildomain': u'rsc', u'ipagroupobjectclasses': u'rsc', u'ipamaxusernamelength': u'rsc', u'ipaselinuxusermapdefault': u'rsc', u'objectclass': u'rsc', u'aci': u'', u'ipahomesrootdir': u'rsc', u'ipamigrationenabled': u'rsc', u'ipaselinuxusermaporder': u'rsc'}
  cn: ipaConfig
  objectclass: nsContainer, top, ipaGuiConfig, ipaConfigObject, ipaUserAuthTypeClass, ipaNameResolutionData
[root@autohv01 ~]# ipa trust-find --all
---------------
1 trust matched
---------------
  dn: cn=pne.qe,cn=ad,cn=trusts,dc=testrelm,dc=test
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14,
                          S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14,
                          S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  UPN suffixes: test.qa, pune.in
  ipantsecurityidentifier: S-1-5-21-1074789812-2998660393-2210475529-1003
  ipanttrustdirection: 1
  ipanttrustpartner: pne.qe
  objectclass: ipaNTTrustedDomain, ipaIDobject, top
----------------------------
Number of entries returned 1
----------------------------
Comment 7 errata-xmlrpc 2017-08-01 09:46:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304