Bug 1853703

Hi,

I do not see a reason for this RFE. If a short name, i.e. without a '@domain.name' part, is given with the 'filter_users' option this name should be filtered for all domains and sub-domains with given in the [nss] section and for the given domain and all its sub-domains when given in the [domain/...] section. I agree that the sssd.conf man page can be more specific about this.

If there is an issue with this behavior, please add logs with 'debug_level = 9' in the [nss] and [domain/...] sections which cover a 'getent passwd username' lookup for the name which is expected to be filtered out.

bye,
Sumit

Bose,

Instead of a RFE it is then a Bug.
See the attached case for the discussion and sssd logs that shows that the filter_users in the [domain/...] section only adds the name to the negative cache for the domain itself and not for the subdomains.

Peter

(In reply to Peter Vreman from comment #5)
> Bose,
> 
> Instead of a RFE it is then a Bug.
> See the attached case for the discussion and sssd logs that shows that the
> filter_users in the [domain/...] section only adds the name to the negative
> cache for the domain itself and not for the subdomains.

Hi,

if you are referring to your comment from "Tue, May 26, 2020, 1:00:08 PM GMT+2" this might be expected as long as the other domains are not discovered by the client. That's why it is important for me to see at least the full nss and domain logs with debug_level=9 to understand why the filtering does not work as expected. Would it be possible to add the logs I asked for in comment #4 to the case together with sssd.conf?

I tried to reproduce the issue with a sssd.conf very similar to yours but so far the filtering was working as expected with short names in the 'filter_users' option in the [domain/...] section.

bye,
Sumit

> 
> Peter

Sumit, i have updated the case with the configuraiton used and a tarball with all sssd logs at debug_level 9.

Although this BZ was original created for RHEL7, but with the lifecycle status of RHEL7 i executed the reproducer on RHEL8 and gathered the logs on a RHEL8.2 server to make sure i had the latest sssd rnning and the behaviour was not changed yet in RHEL8.

JFTR: there is another open BZ wrt weird vehaviour of negative cache for sub-domain: bz 1828483

(sorry I didn't yet check if this is the same, merely a note to not miss this)

(In reply to Peter Vreman from comment #7)
> Sumit, i have updated the case with the configuraiton used and a tarball
> with all sssd logs at debug_level 9.
> 
> Although this BZ was original created for RHEL7, but with the lifecycle
> status of RHEL7 i executed the reproducer on RHEL8 and gathered the logs on
> a RHEL8.2 server to make sure i had the latest sssd rnning and the behaviour
> was not changed yet in RHEL8.

Hi,

thanks for sssd.conf and the logs. It looks like if 'filter_users' is used in the [nss] and [domain/...] section to options are not merge together properly. I wonder if you can check if it works better if you remove/comment-out 'filter_users' in the [nss] section?

bye,
Sumit

Hi,

I have opened https://github.com/SSSD/sssd/issues/5238 to track the fixes for the observed issues.

bye,
Sumit

Setting needinfo based on the comment 9

The requested test of using filter_users on in [domain/...] executed. Updated conf andlogs with debug_level=9 were provided in the attached case.

Summary of test result: With the filter_users=heat on in [domain/...] the filter_users is apply to All domains, including the files domain that should not be part of the fiultering.

Upstream PR: https://github.com/SSSD/sssd/pull/5361

Pushed PR: https://github.com/SSSD/sssd/pull/5361

* `master`
    * fa4b46e7de7297da3c0e37913eab8cba7f103629 - negcache: do not use default_domain_suffix
    * 0dc81a52e2836010974e9f71b1f3e47c20fd498d - negcache: make sure short names are added to sub-domains
    * 385af99ff4d5a75d0c1edc9ad830da3eb7478295 - utils: add SSS_GND_SUBDOMAINS flag for get_next_domain()
    * 0e1bcf77bd73baa0fea64830eb1f4f65a63c7afe - negcache: make sure domain config does not leak into global
* `sssd-1-16`
    * 56d509ad3001101f04c4af050c3da7472032e4cb - negcache: do not use default_domain_suffix
    * c3207deee7411456827e69d0b72d7d44e7458853 - negcache: make sure short names are added to sub-domains
    * ea32d0eb61336858aa23697b4e91d420481fc3e2 - utils: add SSS_GND_SUBDOMAINS flag for get_next_domain()
    * 96bdcbb4441ddf05c065bbafa88e5691300424d1 - negcache: make sure domain config does not leak into global

Reproduce with :

sssd-1.16.5-10.el7_9.5.x86_64 

Reproduction steps:
1) Create Ad forest add the corresponding user in each domain

2) Add filter_users/filter_groups in root domain with added user or group
also add filter_users/filter_groups in [nss] section with 
filter_users =  child_user1 with non existing users/groups

[sssd]
config_file_version = 2
services = nss, pam
domains = t3for12r79.com

[domain/t3for12r79.com]
id_provider = ad
ad_domain = t3for12r79.com
cache_credentials = True
krb5_store_password_if_offline = True
use_fully_qualified_names = True
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
krb5_auth_timeout = 15
debug_level = 9
filter_users =  child_user1

[nss]
debug_level = 9
filter_users =  abc


3) check user/group lookup

[root@client1 ~]# getent passwd child_user1.com
child_user1.com:*:954201113:954201113:child_user1:/home/t3cfor12r79.t3for12r79.com/child_user1:/bin/bash


with 
[root@client1 ~]# cat /etc/sssd/sssd.conf | grep filter
filter_groups =  child_nested_group2
filter_groups =  xyz

[root@client1 ~]# getent group child_nested_group2.com
child_nested_group2.com:*:954201120:tree_user1,user1


4) update the sssd with the latest version:
from yum.log,

Dec 04 11:02:31 Updated: libsss_idmap-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: python-sssdconfig-1.16.5-10.el7_9.6.noarch
Dec 04 11:02:31 Updated: libsss_nss_idmap-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: sssd-client-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: libsss_sudo-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: libipa_hbac-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: libsss_autofs-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: sssd-common-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: sssd-krb5-common-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: sssd-common-pac-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: sssd-ad-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: sssd-ipa-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: sssd-krb5-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: sssd-ldap-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: python-sss-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: sssd-proxy-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: sssd-dbus-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:32 Updated: libsss_simpleifp-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:32 Updated: sssd-tools-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:32 Updated: sssd-1.16.5-10.el7_9.6.x86_64


5) check user and group lookup again,

[root@client1 ~]# getent group child_nested_group2.com

[root@client1 ~]# getent passwd child_user1.com

User and group lookup is not successful,
thus marking this bug to verify.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5459