Bug 1473005
| Summary: | The originalMemberOf attribute disappears from the cache, causing intermittent HBAC issues | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Oneata Mircea Teodor <toneata> |
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Varun Mylaraiah <mvarun> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.8 | CC: | aship, atolani, grajaiya, jhrozek, ksiddiqu, lslebodn, mkosek, mzidek, pbrezina, sbose, sgoveas, sssd-maint, sssd-qe, toneata, tscherf |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.13.3-57.el6_9 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1438360 | Environment: | |
| Last Closed: | 2017-08-22 17:30:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1438360 | ||
| Bug Blocks: | |||
|
Description
Oneata Mircea Teodor
2017-07-19 20:10:51 UTC
Verified sssd-1.13.3-57.el6_9.x86_64 ipa-client-3.0.0-51.el6.x86_64 Now the group is listed in the "originalMemberOf" attr # id aduser1 uid=346211915(aduser1) gid=346211915(aduser1) groups=346211915(aduser1),346201110(adunigroup1),346201108(adgroup1),346201109(adgroup2),729800010(hbacgroup),346200513(domain users) # ldbsearch -H /var/lib/sss/db/cache_ssh080817.test.ldb asq: Unable to register control with rootdse! # record 1 dn: name=aduser1,cn=users,cn=ipaad2012r2.test,cn=sysdb createTimestamp: 1502268960 fullName: aduser1 ads gecos: aduser1 ads gidNumber: 346211915 homeDirectory: /home/ipaad2012r2.test/aduser1 name: aduser1 objectClass: user uidNumber: 346211915 objectSIDString: S-1-5-21-547465014-1205121312-3291251547-11915 userPrincipalName: aduser1 adUserAccountControl: 512 originalDN: CN=aduser1 ads,CN=Users,DC=ipaad2012r2,DC=test nameAlias: aduser1 adAccountExpires: 9223372036854775807 originalMemberOf: CN=adunigroup1,CN=Users,DC=ipaad2012r2,DC=test originalMemberOf: CN=adgroup2,CN=Users,DC=ipaad2012r2,DC=test originalMemberOf: CN=adgroup1,CN=Users,DC=ipaad2012r2,DC=test originalMemberOf: cn=hbacgroup,cn=groups,cn=accounts,dc=ssh080817,dc=test memberof: name=adunigroup1,cn=groups,cn=ipaad2012r2.test,cn=s ysdb memberof: name=adgroup1,cn=groups,cn=ipaad2012r2.test,cn=sysd b memberof: name=adgroup2,cn=groups,cn=ipaad2012r2.test,cn=sysd b memberof: name=hbacgroup,cn=groups,cn=ssh080817.test,cn=sysdb memberof: name=domain users,cn=groups,cn=ipaad2012r2.test,cn= sysdb initgrExpireTimestamp: 1502274375 lastUpdate: 1502268975 dataExpireTimestamp: 1502274375 distinguishedName: name=aduser1,cn=users,cn=ipaad2012r2.test, cn=sysdb Additional info: On Server side Created an external IPA group # ipa group-add --desc=0 hbacgroup_external --external -------------------------------- Added group "hbacgroup_external" -------------------------------- Group name: hbacgroup_external Description: 0 Added an AD group into IPA group #ipa group-add-member hbacgroup_external --external='adgroup1' --users='' --groups='' Group name: hbacgroup_external Description: 0 External member: S-1-5-21-547465014-1205121312-3291251547-11915, S-1-5-21-547465014-1205121312-3291251547-1108 Member of groups: hbacgroup ------------------------- Number of members added 1 ------------------------- Then add the external IPA group into an IPA POSIX group # ipa group-add --desc=0 hbacgroup ----------------------- Added group "hbacgroup" ----------------------- Group name: hbacgroup Description: 0 GID: 729800010 # ipa group-add-member hbacgroup --groups=hbacgroup_external Group name: hbacgroup Description: 0 GID: 729800010 Member groups: hbacgroup_external ------------------------- Number of members added 1 ------------------------- Referencing the IPA POSIX group in an HBAC rule # ipa hbacrule-add hbacrule --hostcat=all --servicecat=all -------------------------- Added HBAC rule "hbacrule" -------------------------- Rule name: hbacrule Host category: all Service category: all Enabled: TRUE # ipa hbacrule-add-user hbacrule --groups='hbacgroup' Rule name: hbacrule Host category: all Service category: all Enabled: TRUE User Groups: hbacgroup ------------------------- Number of members added 1 ------------------------- Then disable allow_all. # ipa hbacrule-disable allow_all ------------------------------ Disabled HBAC rule "allow_all" ------------------------------ # ipa hbacrule-find --all hbacrule ------------------- 1 HBAC rule matched ------------------- dn: ipaUniqueID=48e182bc-7ce0-11e7-836e-5254001e863c,cn=hbac,dc=ssh080817,dc=test Rule name: hbacrule Host category: all Service category: all Enabled: TRUE User Groups: hbacgroup accessruletype: allow ipauniqueid: 48e182bc-7ce0-11e7-836e-5254001e863c objectclass: ipaassociation, ipahbacrule ---------------------------- Number of entries returned 1 ---------------------------- ipa server version used ipa-server-4.5.0-21.el7_4.1.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2505 |