Bug 1450125
| Summary: | Wrong pam return code for user from subdomain with ad_access_filter | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jaroslav Reznik <jreznik> |
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
| Status: | CLOSED ERRATA | QA Contact: | shridhar <sgadekar> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 7.3 | CC: | grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, sgoveas, sssd-maint, tscherf |
| Target Milestone: | rc | Keywords: | Regression, ZStream |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.14.0-43.el7_3.17 | Doc Type: | If docs needed, set a value |
| Doc Text: |
On SSSD clients joined to an Active Directory (AD) domain whose configuration includes the ad_access_filter option in the /etc/sssd/sssd.conf file, authentication sometimes failed with with an error such as this:
10 (User not known to the underlying authentication module)
The problem occurred in environments that use nested groups. This update fixes this bug.
|
Story Points: | --- |
| Clone Of: | 1434992 | Environment: | |
| Last Closed: | 2017-06-28 17:00:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1434992 | ||
| Bug Blocks: | |||
|
Description
Jaroslav Reznik
2017-05-11 15:19:36 UTC
verified with ~]# rpm -q sssd sssd-1.14.0-43.el7_3.18.x86_64 [root@hp-dl180g6-01 ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam domains = sssdad.com [domain/sssdad.com] debug_level = 0x0180 id_provider = ad use_fully_qualified_names = True krb5_auth_timeout = 15 access_provider=ad ad_access_filter=(cn=user1_dom1-1902875) [root@hp-dl180g6-01 ~]# service sssd stop; rm -rf /var/lib/sss/db/* ; service sssd start Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service [root@hp-dl180g6-01 ~]# id user1_dom1-1902875 uid=406926074(user1_dom1-1902875) gid=1239000513(domain users) groups=1239000513(domain users),406926075(group1_dom1-1902875) [root@hp-dl180g6-01 ~]# id user1_dom3-1902875.com uid=369612070(user1_dom3-1902875.com) gid=369612070(user1_dom3-1902875.com) groups=369612070(user1_dom3-1902875.com),369612073(group1_dom3-1902875.com),369600513(domain users.com) [root@hp-dl180g6-01 ~]# id user1_dom2-1902875 uid=494810470(user1_dom2-1902875) gid=494810470(user1_dom2-1902875) groups=494810470(user1_dom2-1902875),494810471(group1_dom2-1902875),494800513(domain users),494810472(group2_dom2-1902875) [root@hp-dl180g6-01 ~]# ssh -l user1_dom2-1902875 localhost user1_dom2-1902875@sssdad_tree@localhost's password: Connection closed by ::1 [root@hp-dl180g6-01 ~]# ssh -l user1_dom3-1902875.com localhost user1_dom3-1902875@localhost's password: Connection closed by ::1 [root@hp-dl180g6-01 ~]# ssh -l user1_dom1-1902875 localhost user1_dom1-1902875@localhost's password: Last login: Tue Jun 13 09:36:00 2017 -sh-4.2$ logout Connection to localhost closed. in /var/log/secure Jun 13 09:46:44 hp-dl180g6-01 sshd[1397]: pam_sss(sshd:account): Access denied for user user1_dom2-1902875: 6 (Permission denied) Jun 13 09:46:44 hp-dl180g6-01 sshd[1397]: Failed password for user1_dom2-1902875 from ::1 port 41556 ssh2 Jun 13 09:46:44 hp-dl180g6-01 sshd[1397]: fatal: Access denied for user user1_dom2-1902875 by PAM account configuration [preauth] Jun 13 09:47:06 hp-dl180g6-01 sshd[1598]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=user1_dom3-1902875.com Jun 13 09:47:06 hp-dl180g6-01 sshd[1598]: pam_sss(sshd:account): Access denied for user user1_dom3-1902875.com: 6 (Permission denied) Jun 13 09:47:06 hp-dl180g6-01 sshd[1598]: Failed password for user1_dom3-1902875.com from ::1 port 41564 ssh2 Jun 13 09:47:06 hp-dl180g6-01 sshd[1598]: fatal: Access denied for user user1_dom3-1902875.com by PAM account configuration [preauth] Jun 13 09:47:26 hp-dl180g6-01 sshd[1749]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=user1_dom1-1902875 Jun 13 09:47:26 hp-dl180g6-01 sshd[1749]: Accepted password for user1_dom1-1902875 from ::1 port 41572 ssh2 Jun 13 09:47:26 hp-dl180g6-01 sshd[1749]: pam_unix(sshd:session): session opened for user user1_dom1-1902875 by (uid=0) Jun 13 09:47:27 hp-dl180g6-01 sshd[1801]: Received disconnect from ::1: 11: disconnected by user Jun 13 09:47:27 hp-dl180g6-01 sshd[1749]: pam_unix(sshd:session): session closed for user user1_dom1-1902875 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1605 |