Bug 1786341
| Summary: | SSSD doesn't honour the customized ID view created in IPA | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ming Davies <minyu> | |
| Component: | sssd | Assignee: | Pavel Březina <pbrezina> | |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.6 | CC: | aheverle, amore, arajendr, atikhono, grajaiya, jhrozek, lslebodn, mzidek, pbrezina, sgoveas, ssidhaye, sssd-maint, striker, thalman, tscherf | |
| Target Milestone: | rc | Keywords: | Triaged | |
| Target Release: | --- | Flags: | striker:
needinfo-
|
|
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | sync-to-jira | |||
| Fixed In Version: | sssd-1.16.5-2.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1826720 (view as bug list) | Environment: | ||
| Last Closed: | 2020-09-29 19:49:11 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
Any updates please? Upstream ticket: https://pagure.io/SSSD/sssd/issue/4173 Upstream PR: https://github.com/SSSD/sssd/pull/1011 * `master`
* 1b84c3a1f17f59e134bb882f0f15109d18599193 - sysdb: check if the id override belongs to requested domain
* `sssd-1-16`
* a63e00fd3464524c012687c85cd67fa0468ba913 - sysdb: check if the id override belongs to requested domain
Verification Steps:
1. Establish AD trust with IPA
2. Create a customized ID view on the IPA server
3. Override the uid, gid and home directory for a trust AD user on the IPA
4. Stop the SSSD, clear the old SSSD cache and restart SSSD on a IPA client
5. su - aduser
6. sh script.sh
6. cat script.sh
x=1
while [ $x -le 15 ]
do
pwd
getent passwd 10001 | grep -w "aduser1"
if [ $? -ne 0 ]; then
echo "1786341 found at count $x"
break
fi
x=$(( $x + 1 ))
sleep 30
done
------------------------------------------------------------------
Reproduced Using:
ipa-server-4.6.4-10.el7_6.6.x86_64
sssd-1.16.2-13.el7_6.8.x86_64
Console Logs:
2020-06-08T07:12:09+0000 + ipa idoverrideuser-mod 'Madrid Trust View' aduser1 --uid=10001 --gid=10000 --homedir=/home/aduser1
2020-06-08T07:12:09+0000 ---------------------------------------------------
2020-06-08T07:12:09+0000 Modified an User ID override "aduser1"
2020-06-08T07:12:09+0000 ---------------------------------------------------
2020-06-08T07:12:09+0000 Anchor to override: aduser1
2020-06-08T07:12:09+0000 UID: 10001
2020-06-08T07:12:09+0000 GID: 10000
2020-06-08T07:12:09+0000 Home directory: /home/aduser1
On ipa-client
---------------------------------------------------------------------
#rm -rf /var/lib/sss/db/cache_ipa.test.ldb /var/lib/sss/db/ccache_IPA.TEST /var/lib/sss/db/config.ldb /var/lib/sss/db/sssd.ldb /var/lib/sss/db/timestamps_ipa.test.ldb /var/lib/sss/mc/group /var/lib/sss/mc/initgroups /var/lib/sss/mc/passwd
#su - aduser1 -c 'sh script.sh'
2020-06-08T07:12:13+0000 /home/aduser1
2020-06-08T07:12:13+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
...
...
2020-06-08T07:17:43+0000 /home/aduser1
2020-06-08T07:17:43+0000 1786341 found at count 12
Reproduced with 5 minutes
----------------------------------------------------------------------
Verified Using:
----------------------------------------------------------------------
sssd-1.16.5-10.el7.x86_64
ipa-server-4.6.8-4.el7.x86_64
2020-06-08T07:58:22+0000 /home/aduser1
2020-06-08T07:58:22+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T07:58:52+0000 /home/aduser1
2020-06-08T07:58:52+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T07:59:22+0000 /home/aduser1
2020-06-08T07:59:22+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T07:59:52+0000 /home/aduser1
2020-06-08T07:59:52+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:00:22+0000 /home/aduser1
2020-06-08T08:00:22+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:00:52+0000 /home/aduser1
2020-06-08T08:00:52+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:01:22+0000 /home/aduser1
2020-06-08T08:01:22+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:01:52+0000 /home/aduser1
2020-06-08T08:01:52+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:02:22+0000 /home/aduser1
2020-06-08T08:02:22+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:02:52+0000 /home/aduser1
2020-06-08T08:02:52+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:03:22+0000 /home/aduser1
2020-06-08T08:03:22+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:03:52+0000 /home/aduser1
2020-06-08T08:03:52+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:04:22+0000 /home/aduser1
2020-06-08T08:04:22+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:04:52+0000 /home/aduser1
2020-06-08T08:04:52+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:05:22+0000 /home/aduser1
2020-06-08T08:05:22+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
Not able to reproduce with 6 minutes.
Based on this marking bz as verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3904 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |
Description of problem: SSSD doesn't honour the customized ID view created in IPA. The trust AD users lose their AD domains roughly 5minutes later, which cause problem with sudorule as the sudorule is defined for the <ad accountname>@<AD domain>. Version-Release number of selected component (if applicable): sssd-1.16.4-21.el7_7.1.x86_64 sssd-client-1.16.4-21.el7_7.1.x86_64 sssd-ipa-1.16.4-21.el7_7.1.x86_64 sssd-ad-1.16.4-21.el7_7.1.x86_64 How reproducible: The issue can easily be reproduced. Steps to Reproduce: 1. Establish AD trust with IPA 2. Create a customized ID view on the IPA server # ipa idview-show "Madrid Trust View" --all dn: cn=Madrid Trust View,cn=views,cn=accounts,dc=lx,dc=testdomain,dc=com ID View Name: Madrid Trust View User object overrides: bmorgan.com, cmorgan.com Hosts the view applies to: ipaclient.lx.testdomain.com objectclass: ipaIDView, top, nsContainer 3. Override the uid, gid and home directory for a trust AD user on the IPA server : # ipa idoverrideuser-show "Madrid Trust View" "bmorgan.com" --all dn: ipaanchoruuid=:SID:S-1-5-21-2806753506-2769157711-2121680027-1108,cn=Madrid Trust View,cn=views,cn=accounts,dc=lx,dc=testdomain,dc=com Anchor to override: bmorgan.com UID: 10001 GID: 10000 Home directory: /home/bmorgan ipaoriginaluid: bmorgan.com objectclass: ipaOverrideAnchor, top, ipaUserOverride, ipasshuser, ipaSshGroupOfPubKeys 4. Stop the SSSD, clear the old SSSD cache and restart SSSD on a IPA client # date; rm -rf /var/log/sssd/* /var/lib/sss/{mc,db}/* Tue 24 Dec 11:27:51 GMT 2019 # date; systemctl start sssd Tue 24 Dec 11:28:40 GMT 2019 5. As root on the IPA client: # ldbsearch -H cache_lx.testdomain.com.ldb > /var/tmp/ldbsearch-before.txt asq: Unable to register control with rootdse! # ldbsearch -H timestamps_lx.testdomain.com.ldb > /var/tmp/ldbsearch-before-timestamp.txt # date; sssctl user-checks bmorgan.com Tue 24 Dec 11:30:54 GMT 2019 user: bmorgan.com action: acct service: system-auth SSSD nss user lookup result: - user name: bmorgan.com - user id: 10001 - group id: 10000 - gecos: Beth Morgan - home directory: /home/bmorgan - shell: SSSD InfoPipe user lookup result: - name: bmorgan.com - uidNumber: 10001 - gidNumber: 10000 - gecos: Beth Morgan - homeDirectory: /home/bmorgan - loginShell: testing pam_acct_mgmt pam_acct_mgmt: Success PAM Environment: - no env - # date; sssctl user-show bmorgan.com Tue 24 Dec 11:31:02 GMT 2019 Name: bmorgan.com Cache entry creation date: 12/24/19 11:28:45 Cache entry last update time: 12/24/19 11:30:54 Cache entry expiration time: 12/24/19 13:00:54 Initgroups expiration time: 12/24/19 13:00:54 Cached in InfoPipe: No 6. As the trusted AD user on the IPA client: # su - bmorgan.com Creating home directory for bmorgan.com. Last login: Tue Dec 24 11:04:46 GMT 2019 on pts/1 -sh-4.2$ date; ls -al Tue 24 Dec 11:29:05 GMT 2019 total 12 drwx------. 5 bmorgan.com adminfr 107 Dec 24 11:28 . drwxr-xr-x. 4 root root 33 Dec 24 11:28 .. -rw-------. 1 bmorgan.com adminfr 18 Dec 24 11:28 .bash_logout -rw-------. 1 bmorgan.com adminfr 193 Dec 24 11:28 .bash_profile -rw-------. 1 bmorgan.com adminfr 231 Dec 24 11:28 .bashrc drwxr-xr-x. 3 bmorgan.com adminfr 18 Dec 24 11:28 .cache drwxr-xr-x. 3 bmorgan.com adminfr 18 Dec 24 11:28 .config drwx------. 4 bmorgan.com adminfr 39 Dec 24 11:28 .mozilla -sh-4.2$ date; ls -an Tue 24 Dec 11:29:21 GMT 2019 total 12 drwx------. 5 10001 10000 107 Dec 24 11:28 . drwxr-xr-x. 4 0 0 33 Dec 24 11:28 .. -rw-------. 1 10001 10000 18 Dec 24 11:28 .bash_logout -rw-------. 1 10001 10000 193 Dec 24 11:28 .bash_profile -rw-------. 1 10001 10000 231 Dec 24 11:28 .bashrc drwxr-xr-x. 3 10001 10000 18 Dec 24 11:28 .cache drwxr-xr-x. 3 10001 10000 18 Dec 24 11:28 .config drwx------. 4 10001 10000 39 Dec 24 11:28 .mozilla -sh-4.2$ date; getent passwd 10001 Tue 24 Dec 11:29:30 GMT 2019 bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan: -sh-4.2$ date; id Tue 24 Dec 11:29:43 GMT 2019 uid=10001(bmorgan.com) gid=10000(adminfr) groups=10000(adminfr),130800513(domain users.com),130801109(employees.com),926800005(madrid_admins),926800006(madrid_adminfr_internal) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.2$ date; sudo -ll Tue 24 Dec 11:29:50 GMT 2019 [sudo] password for bmorgan.com: Matching Defaults entries for bmorgan.com on ipa76client: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User bmorgan.com may run the following commands on ipaclient: LDAP Role: madrid-sudorule RunAsUsers: root Commands: /usr/bin/less !/usr/bin/chcon -sh-4.2$ date; strings /var/lib/sss/mc/passwd Tue 24 Dec 11:30:03 GMT 2019 bmorgan.com <<<<<<<<<<<<<<<<<<<<<< Beth Morgan /home/bmorgan -sh-4.2$ while true; > do date; getent passwd 10001; sleep 30; done | tee -a /var/tmp/b.txt Tue 24 Dec 11:30:23 GMT 2019 bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan: Tue 24 Dec 11:30:53 GMT 2019 bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan: Tue 24 Dec 11:31:23 GMT 2019 bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan: Tue 24 Dec 11:31:53 GMT 2019 bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan: Tue 24 Dec 11:32:23 GMT 2019 bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan: Tue 24 Dec 11:32:53 GMT 2019 bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan: Tue 24 Dec 11:33:23 GMT 2019 bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan: Tue 24 Dec 11:33:53 GMT 2019 bmorgan:*:10001:10000:Beth Morgan:/home/bmorgan: <<<<<<<<<<<<<<<<<<<<Roughly five minutes later>>>>>>>>>>>>>>>>>>>>>>>> Tue 24 Dec 11:34:23 GMT 2019 bmorgan:*:10001:10000:Beth Morgan:/home/bmorgan: Tue 24 Dec 11:34:53 GMT 2019 bmorgan:*:10001:10000:Beth Morgan:/home/bmorgan: Tue 24 Dec 11:35:23 GMT 2019 bmorgan:*:10001:10000:Beth Morgan:/home/bmorgan: ^C -sh-4.2$ date; ls -al Tue 24 Dec 11:35:47 GMT 2019 total 16 drwx------. 5 bmorgan adminfr 128 Dec 24 11:35 . drwxr-xr-x. 4 root root 33 Dec 24 11:28 .. -rw-------. 1 bmorgan adminfr 207 Dec 24 11:35 .bash_history -rw-------. 1 bmorgan adminfr 18 Dec 24 11:28 .bash_logout -rw-------. 1 bmorgan adminfr 193 Dec 24 11:28 .bash_profile -rw-------. 1 bmorgan adminfr 231 Dec 24 11:28 .bashrc drwxr-xr-x. 3 bmorgan adminfr 18 Dec 24 11:28 .cache drwxr-xr-x. 3 bmorgan adminfr 18 Dec 24 11:28 .config drwx------. 4 bmorgan adminfr 39 Dec 24 11:28 .mozilla -sh-4.2$ date; ls -an Tue 24 Dec 11:35:55 GMT 2019 total 16 drwx------. 5 10001 10000 128 Dec 24 11:35 . drwxr-xr-x. 4 0 0 33 Dec 24 11:28 .. -rw-------. 1 10001 10000 207 Dec 24 11:35 .bash_history -rw-------. 1 10001 10000 18 Dec 24 11:28 .bash_logout -rw-------. 1 10001 10000 193 Dec 24 11:28 .bash_profile -rw-------. 1 10001 10000 231 Dec 24 11:28 .bashrc drwxr-xr-x. 3 10001 10000 18 Dec 24 11:28 .cache drwxr-xr-x. 3 10001 10000 18 Dec 24 11:28 .config drwx------. 4 10001 10000 39 Dec 24 11:28 .mozilla -sh-4.2$ date; getent passwd 10001 Tue 24 Dec 11:36:00 GMT 2019 bmorgan:*:10001:10000:Beth Morgan:/home/bmorgan: -sh-4.2$ date; id Tue 24 Dec 11:36:05 GMT 2019 uid=10001(bmorgan) gid=10000(adminfr) groups=10000(adminfr),130800513(domain users.com),130801109(employees.com),926800005(madrid_admins),926800006(madrid_adminfr_internal) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.2$ date; sudo -ll Tue 24 Dec 11:36:09 GMT 2019 We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for bmorgan: Sorry, try again. [sudo] password for bmorgan: Sorry, try again. [sudo] password for bmorgan: sudo: 3 incorrect password attempts -sh-4.2$ date; strings /var/lib/sss/mc/passwd Tue 24 Dec 11:36:33 GMT 2019 bmorgan <<<<<<<<<<<<<<<<<<<<<<< Beth Morgan /home/bmorgan One interesting point, running "id -a bmorgan.com" as ROOT seems to fix the issue temporarily. Actual results: Expected results: Additional info: No problem with the "Default trust view"