Bug 1685581
| Summary: | Extend cached_auth_timeout to cover subdomains / trusts | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | James Hartsock <hartsjc> | |
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.5 | CC: | glamb, grajaiya, jhrozek, ksiddiqu, lslebodn, mzidek, pbrezina, sbose, sgoveas, tscherf | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | sssd-1.16.4-15.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1695581 (view as bug list) | Environment: | ||
| Last Closed: | 2019-08-06 13:02:47 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1695581 | |||
|
Description
James Hartsock
2019-03-05 14:46:16 UTC
FYI, the option is only initialized from confdb_get_domain_internal() which is only called for domains from the [sssd] section's list. So we can do either of: 1) when logging a subdomain user, look at the parent domain's setting (inherit implicitly) 2) make it possible to inherit the option explicitly with subdomain_inherit like we do with e.g. ignore_group_members 3) extend the trusted domain configuration to read the option from the subdomain's configuration 4) a combination of 2 and 3 Upstream ticket: https://pagure.io/SSSD/sssd/issue/3960 (In reply to Jakub Hrozek from comment #9) > PR: https://pagure.io/SSSD/sssd/issue/3960 Sorry, this is the correct PR link: https://github.com/SSSD/sssd/pull/772 * master: fedfc4f * sssd-1-16: fedfc4f Jakub, As per https://bugzilla.redhat.com/show_bug.cgi?id=1685581#c19 you said that pre-auth in PAM responder issue will be also handled in this bz but i see the PR still open and this bz is ON_QA Are we going to have https://github.com/SSSD/sssd/pull/804 part of this bz fix? We have to verify this bz by 21st of May (In reply to Kaleem from comment #21) > Jakub, > > As per https://bugzilla.redhat.com/show_bug.cgi?id=1685581#c19 you said that > pre-auth in PAM responder issue will be also handled in this bz but i see > the PR still open and this bz is ON_QA OK, let me switch the bug to ASSIGNED > Are we going to have https://github.com/SSSD/sssd/pull/804 part of this bz > fix? There were some issues raised during the code review which I still need to address, but the PR works, so I don't anticipate it would take too much time. > We have to verify this bz by 21st of May I'll try to respin the PR today so it can be merged by the end of the week. Related commits that also fix PREAUTH caching: * master: c911562 * sssd-1-16: 0a637ff Verified. rpm versions: ============== [root@master ~]# rpm -q ipa-server sssd ipa-server-4.6.5-8.el7.x86_64 sssd-1.16.4-16.el7.x86_64 [root@master ~]# (1) cached_auth_timeout is honored by trusted domain as well cached_auth_timeout is inheritable by ipa domain [root@master ~]# ssh user1.test Password: Last login: Mon May 20 09:58:43 2019 Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/ -sh-4.2$ logout Connection to master.sshtestks.test closed. [root@master ~]# ssh user1.test Password: Authenticated with cached credentials. Last login: Mon May 20 10:31:46 2019 from master.sshtestks.test Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/ -sh-4.2$ logout Connection to master.sshtestks.test closed. [root@master ~]# ssh user1.test Password: Last login: Mon May 20 10:31:51 2019 from master.sshtestks.test Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/ -sh-4.2$ logout Connection to master.sshtestks.test closed. [root@master ~]# ssh user1.test Password: Authenticated with cached credentials. Last login: Mon May 20 10:35:23 2019 from master.sshtestks.test Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/ -sh-4.2$ logout Connection to master.sshtestks.test closed. [root@master ~]# cached_auth_timeout is inheritable by trusted domain now as well [root@master ~]# ssh aduser1@master.sshtestks.test Password: Last login: Mon May 20 10:23:45 2019 from localhost Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/ -sh-4.2$ logout Connection to master.sshtestks.test closed. [root@master ~]# ssh aduser1@master.sshtestks.test Password: Authenticated with cached credentials. Last login: Mon May 20 10:37:13 2019 from master.sshtestks.test Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/ -sh-4.2$ logout Connection to master.sshtestks.test closed. [root@master ~]# ssh aduser1@master.sshtestks.test Password: Last login: Mon May 20 10:37:18 2019 from master.sshtestks.test Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/ -sh-4.2$ logout Connection to master.sshtestks.test closed. [root@master ~]# ssh aduser1@master.sshtestks.test Password: Authenticated with cached credentials. Last login: Mon May 20 10:39:25 2019 from master.sshtestks.test Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/ -sh-4.2$ logout Connection to master.sshtestks.test closed. [root@master ~]# (2)no log for pre-auth in case of cached_auth authentication [root@master ~]# ssh aduser1@master.sshtestks.test Password: Authenticated with cached credentials. Last login: Mon May 20 10:47:43 2019 from master.sshtestks.test Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/ -sh-4.2$ -sh-4.2$ logout Connection to master.sshtestks.test closed. [root@master ~]# May 20 10:47:17 master.sshtestks.test krb5kdc[13282](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 172.16.169.59: REFERRAL: aduser1\@IPAAD2016.TEST for krbtgt/SSHTESTKS.TEST, Realm not local to KDC May 20 10:47:17 master.sshtestks.test krb5kdc[13282](info): closing down fd 13 May 20 10:47:21 master.sshtestks.test krb5kdc[13282](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 172.16.169.59: REFERRAL: aduser1\@IPAAD2016.TEST for krbtgt/SSHTESTKS.TEST, Realm not local to KDC May 20 10:47:21 master.sshtestks.test krb5kdc[13282](info): closing down fd 13 May 20 10:47:21 master.sshtestks.test krb5kdc[13283](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 172.16.169.59: ISSUE: authtime 1558363641, etypes {rep=18 tkt=18 ses=18}, aduser1 for host/master.sshtestks.test May 20 10:47:21 master.sshtestks.test krb5kdc[13283](info): closing down fd 13 ^C [root@master ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2177 Bugzilla not allowing solution links, so placing in comment. https://access.redhat.com/solutions/4342151 |