Bug 1853703
Summary: | Unexpected behavior and issue with filter_users/filter_groups option [rhel-7.9.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Akshay Sakure <asakure> |
Component: | sssd | Assignee: | Sumit Bose <sbose> |
Status: | CLOSED ERRATA | QA Contact: | Madhuri <mupadhye> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.8 | CC: | atikhono, dlavu, grajaiya, jhrozek, jreznik, lslebodn, mzidek, pbrezina, peter.vreman, sbose, sgoveas, thalman, tscherf |
Target Milestone: | rc | Keywords: | Triaged, ZStream |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | sync-to-jira review qetodo | ||
Fixed In Version: | sssd-1.16.5-10.el7_9.6 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-12-15 11:22:17 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Akshay Sakure
2020-07-03 15:10:29 UTC
Hi, I do not see a reason for this RFE. If a short name, i.e. without a '@domain.name' part, is given with the 'filter_users' option this name should be filtered for all domains and sub-domains with given in the [nss] section and for the given domain and all its sub-domains when given in the [domain/...] section. I agree that the sssd.conf man page can be more specific about this. If there is an issue with this behavior, please add logs with 'debug_level = 9' in the [nss] and [domain/...] sections which cover a 'getent passwd username' lookup for the name which is expected to be filtered out. bye, Sumit Bose, Instead of a RFE it is then a Bug. See the attached case for the discussion and sssd logs that shows that the filter_users in the [domain/...] section only adds the name to the negative cache for the domain itself and not for the subdomains. Peter (In reply to Peter Vreman from comment #5) > Bose, > > Instead of a RFE it is then a Bug. > See the attached case for the discussion and sssd logs that shows that the > filter_users in the [domain/...] section only adds the name to the negative > cache for the domain itself and not for the subdomains. Hi, if you are referring to your comment from "Tue, May 26, 2020, 1:00:08 PM GMT+2" this might be expected as long as the other domains are not discovered by the client. That's why it is important for me to see at least the full nss and domain logs with debug_level=9 to understand why the filtering does not work as expected. Would it be possible to add the logs I asked for in comment #4 to the case together with sssd.conf? I tried to reproduce the issue with a sssd.conf very similar to yours but so far the filtering was working as expected with short names in the 'filter_users' option in the [domain/...] section. bye, Sumit > > Peter Sumit, i have updated the case with the configuraiton used and a tarball with all sssd logs at debug_level 9. Although this BZ was original created for RHEL7, but with the lifecycle status of RHEL7 i executed the reproducer on RHEL8 and gathered the logs on a RHEL8.2 server to make sure i had the latest sssd rnning and the behaviour was not changed yet in RHEL8. JFTR: there is another open BZ wrt weird vehaviour of negative cache for sub-domain: bz 1828483 (sorry I didn't yet check if this is the same, merely a note to not miss this) (In reply to Peter Vreman from comment #7) > Sumit, i have updated the case with the configuraiton used and a tarball > with all sssd logs at debug_level 9. > > Although this BZ was original created for RHEL7, but with the lifecycle > status of RHEL7 i executed the reproducer on RHEL8 and gathered the logs on > a RHEL8.2 server to make sure i had the latest sssd rnning and the behaviour > was not changed yet in RHEL8. Hi, thanks for sssd.conf and the logs. It looks like if 'filter_users' is used in the [nss] and [domain/...] section to options are not merge together properly. I wonder if you can check if it works better if you remove/comment-out 'filter_users' in the [nss] section? bye, Sumit Hi, I have opened https://github.com/SSSD/sssd/issues/5238 to track the fixes for the observed issues. bye, Sumit Setting needinfo based on the comment 9 The requested test of using filter_users on in [domain/...] executed. Updated conf andlogs with debug_level=9 were provided in the attached case. Summary of test result: With the filter_users=heat on in [domain/...] the filter_users is apply to All domains, including the files domain that should not be part of the fiultering. Upstream PR: https://github.com/SSSD/sssd/pull/5361 Pushed PR: https://github.com/SSSD/sssd/pull/5361 * `master` * fa4b46e7de7297da3c0e37913eab8cba7f103629 - negcache: do not use default_domain_suffix * 0dc81a52e2836010974e9f71b1f3e47c20fd498d - negcache: make sure short names are added to sub-domains * 385af99ff4d5a75d0c1edc9ad830da3eb7478295 - utils: add SSS_GND_SUBDOMAINS flag for get_next_domain() * 0e1bcf77bd73baa0fea64830eb1f4f65a63c7afe - negcache: make sure domain config does not leak into global * `sssd-1-16` * 56d509ad3001101f04c4af050c3da7472032e4cb - negcache: do not use default_domain_suffix * c3207deee7411456827e69d0b72d7d44e7458853 - negcache: make sure short names are added to sub-domains * ea32d0eb61336858aa23697b4e91d420481fc3e2 - utils: add SSS_GND_SUBDOMAINS flag for get_next_domain() * 96bdcbb4441ddf05c065bbafa88e5691300424d1 - negcache: make sure domain config does not leak into global Reproduce with : sssd-1.16.5-10.el7_9.5.x86_64 Reproduction steps: 1) Create Ad forest add the corresponding user in each domain 2) Add filter_users/filter_groups in root domain with added user or group also add filter_users/filter_groups in [nss] section with filter_users = child_user1 with non existing users/groups [sssd] config_file_version = 2 services = nss, pam domains = t3for12r79.com [domain/t3for12r79.com] id_provider = ad ad_domain = t3for12r79.com cache_credentials = True krb5_store_password_if_offline = True use_fully_qualified_names = True default_shell = /bin/bash fallback_homedir = /home/%d/%u krb5_auth_timeout = 15 debug_level = 9 filter_users = child_user1 [nss] debug_level = 9 filter_users = abc 3) check user/group lookup [root@client1 ~]# getent passwd child_user1.com child_user1.com:*:954201113:954201113:child_user1:/home/t3cfor12r79.t3for12r79.com/child_user1:/bin/bash with [root@client1 ~]# cat /etc/sssd/sssd.conf | grep filter filter_groups = child_nested_group2 filter_groups = xyz [root@client1 ~]# getent group child_nested_group2.com child_nested_group2.com:*:954201120:tree_user1,user1 4) update the sssd with the latest version: from yum.log, Dec 04 11:02:31 Updated: libsss_idmap-1.16.5-10.el7_9.6.x86_64 Dec 04 11:02:31 Updated: python-sssdconfig-1.16.5-10.el7_9.6.noarch Dec 04 11:02:31 Updated: libsss_nss_idmap-1.16.5-10.el7_9.6.x86_64 Dec 04 11:02:31 Updated: sssd-client-1.16.5-10.el7_9.6.x86_64 Dec 04 11:02:31 Updated: libsss_sudo-1.16.5-10.el7_9.6.x86_64 Dec 04 11:02:31 Updated: libipa_hbac-1.16.5-10.el7_9.6.x86_64 Dec 04 11:02:31 Updated: libsss_autofs-1.16.5-10.el7_9.6.x86_64 Dec 04 11:02:31 Updated: sssd-common-1.16.5-10.el7_9.6.x86_64 Dec 04 11:02:31 Updated: sssd-krb5-common-1.16.5-10.el7_9.6.x86_64 Dec 04 11:02:31 Updated: sssd-common-pac-1.16.5-10.el7_9.6.x86_64 Dec 04 11:02:31 Updated: sssd-ad-1.16.5-10.el7_9.6.x86_64 Dec 04 11:02:31 Updated: sssd-ipa-1.16.5-10.el7_9.6.x86_64 Dec 04 11:02:31 Updated: sssd-krb5-1.16.5-10.el7_9.6.x86_64 Dec 04 11:02:31 Updated: sssd-ldap-1.16.5-10.el7_9.6.x86_64 Dec 04 11:02:31 Updated: python-sss-1.16.5-10.el7_9.6.x86_64 Dec 04 11:02:31 Updated: sssd-proxy-1.16.5-10.el7_9.6.x86_64 Dec 04 11:02:31 Updated: sssd-dbus-1.16.5-10.el7_9.6.x86_64 Dec 04 11:02:32 Updated: libsss_simpleifp-1.16.5-10.el7_9.6.x86_64 Dec 04 11:02:32 Updated: sssd-tools-1.16.5-10.el7_9.6.x86_64 Dec 04 11:02:32 Updated: sssd-1.16.5-10.el7_9.6.x86_64 5) check user and group lookup again, [root@client1 ~]# getent group child_nested_group2.com [root@client1 ~]# getent passwd child_user1.com User and group lookup is not successful, thus marking this bug to verify. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:5459 |