Bug 1874015
| Summary: | ipa hbacrule-add-service --hbacsvcs=sshd is not applied successfully for subdomain | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | anuja <amore> |
| Component: | slapi-nis | Assignee: | Alexander Bokovoy <abokovoy> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 8.3 | CC: | abokovoy, grajaiya, jhrozek, ksiddiqu, lmiksik, lslebodn, mzidek, pbrezina, pcech, rcritten, sbose, tbordaz, tscherf |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | slapi-nis-0.56.5-4 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 02:51:33 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I did initial investigation using the systems provided by Anuja and it looks like a bug in SSSD. After restarting SSSD on IPA master, a request to resolve group membership for aduser1.test returns 'hbacgroup' group and HBAC rules match on the client. Prior to that, SSSD on IPA master complains that it is in offline mode. Anuja, please provide all the logs from both systems. Hi, please add directory server logs from the same time as well. The offline mode was cause by a timeout in a ldapsearch operation at 2020-08-31 5:34:24 which timed out after 6s and a timeout inthe following rebind at 2020-08-31 5:34:30 times out after 8s. bye, Sumit PR: https://pagure.io/slapi-nis/pull-request/40 Thierry, please review. It works for me with the reproducer in description. Even though I see messages about sssd being offline while resolving hbacgroup, they eventually stop and sssd is able to process the request and then authorize AD user. (2020-09-12 9:17:21): [be[ipa.test]] [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [hbacgroup] to rule [hbacrule_05] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [hbacrule_05] (2020-09-12 9:17:21): [be[ipa.test]] [sysdb_merge_res_ts_attrs] (0x2000): TS cache doesn't handle this DN type, skipping (2020-09-12 9:17:21): [be[ipa.test]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [hbacrule_05] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [hbacrule_05] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_get_category] (0x0200): Category is set to 'all'. (2020-09-12 9:17:21): [be[ipa.test]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [hbacrule_05] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL (2020-09-12 9:17:21): [be[ipa.test]] [sss_domain_get_state] (0x1000): Domain ipa.test is Active (2020-09-12 9:17:21): [be[ipa.test]] [sss_domain_get_state] (0x1000): Domain win2016.test is Active (2020-09-12 9:17:21): [be[ipa.test]] [sss_domain_get_state] (0x1000): Domain sub1.win2016.test is Active (2020-09-12 9:17:21): [be[ipa.test]] [hbac_eval_user_element] (0x1000): [4] groups for [Administrator.test] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_eval_user_element] (0x0200): Skipping non-IPA group name=S-1-5-21-2877222182-2128305802-2069601073-512.test,cn=groups,cn=sub1.win2016.test,cn=sysdb (2020-09-12 9:17:21): [be[ipa.test]] [hbac_eval_user_element] (0x0200): Skipping non-IPA group name=S-1-5-21-2877222182-2128305802-2069601073-513.test,cn=groups,cn=sub1.win2016.test,cn=sysdb (2020-09-12 9:17:21): [be[ipa.test]] [hbac_eval_user_element] (0x0200): Skipping non-IPA group name=S-1-5-21-2877222182-2128305802-2069601073-520.test,cn=groups,cn=sub1.win2016.test,cn=sysdb (2020-09-12 9:17:21): [be[ipa.test]] [hbac_eval_user_element] (0x1000): Added group [hbacgroup] for user [Administrator] (2020-09-12 9:17:21): [be[ipa.test]] [sysdb_merge_res_ts_attrs] (0x2000): TS cache doesn't handle this DN type, skipping (2020-09-12 9:17:21): [be[ipa.test]] [sysdb_merge_res_ts_attrs] (0x2000): TS cache doesn't handle this DN type, skipping (2020-09-12 9:17:21): [be[ipa.test]] [hbac_evaluate] (0x0100): [< hbac_evaluate() (2020-09-12 9:17:21): [be[ipa.test]] [hbac_req_debug_print] (0x2000): REQUEST: (2020-09-12 9:17:21): [be[ipa.test]] [hbac_request_element_debug_print] (0x2000): service [sshd] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_request_element_debug_print] (0x2000): service_group (none) (2020-09-12 9:17:21): [be[ipa.test]] [hbac_request_element_debug_print] (0x2000): user [Administrator] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_request_element_debug_print] (0x2000): user_group: (2020-09-12 9:17:21): [be[ipa.test]] [hbac_request_element_debug_print] (0x2000): [hbacgroup] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_request_element_debug_print] (0x2000): targethost [master.ipa.test] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_request_element_debug_print] (0x2000): targethost_group: (2020-09-12 9:17:21): [be[ipa.test]] [hbac_request_element_debug_print] (0x2000): [ipaservers] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_request_element_debug_print] (0x2000): srchost [10.0.155.22] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_request_element_debug_print] (0x2000): srchost_group (none) (2020-09-12 9:17:21): [be[ipa.test]] [hbac_req_debug_print] (0x2000): request time 2020-09-12 09:17:21 (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_debug_print] (0x2000): RULE [allow_systemd-user] [ENABLED]: (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_debug_print] (0x2000): services: (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000): category [0] [NONE] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000): services_names: (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000): [systemd-user] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000): services_groups (none) (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_debug_print] (0x2000): users: (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000): category [0x1] [ALL] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_debug_print] (0x2000): targethosts: (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000): category [0x1] [ALL] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_debug_print] (0x2000): srchosts: (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000): category [0x1] [ALL] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_evaluate] (0x0100): The rule [allow_systemd-user] did not match. (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_debug_print] (0x2000): RULE [hbacrule_05] [ENABLED]: (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_debug_print] (0x2000): services: (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000): category [0] [NONE] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000): services_names: (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000): [sshd] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000): services_groups (none) (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_debug_print] (0x2000): users: (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000): category [0] [NONE] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000): users_names (none) (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000): users_groups: (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000): [hbacgroup] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_debug_print] (0x2000): targethosts: (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000): category [0x1] [ALL] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_debug_print] (0x2000): srchosts: (2020-09-12 9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000): category [0x1] [ALL] (2020-09-12 9:17:21): [be[ipa.test]] [hbac_evaluate] (0x0100): ALLOWED by rule [hbacrule_05]. (2020-09-12 9:17:21): [be[ipa.test]] [hbac_evaluate] (0x0100): hbac_evaluate() >] (2020-09-12 9:17:21): [be[ipa.test]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [hbacrule_05] Green upstream CI run: https://dev.azure.com/abbra1freeipa/slapi-nis/_build/results?buildId=484&view=results Merged upstream. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4670 |
Description of problem: ipa hbacrule-add-service --hbacsvcs=sshd is not applied successfully. Version-Release number of selected component (if applicable): ipa-server-4.8.7-10.module+el8.3.0+7702+ced5f219.x86_64 sssd-ipa-2.3.0-8.el8.x86_64 How reproducible: Always Steps to Reproduce: Establish trust with : ipa trust-add ad2016.test --admin --range-type=ipa-ad-trust --password --two-way=True Then : ipa group-add --desc=0 hbacgroup_external --external ipa group-add --desc=0 hbacgroup ipa group-add-member hbacgroup --groups=hbacgroup_external ipa group-add-member hbacgroup_external --external='aduser1.test' --users='' --groups='' service sssd stop; rm -rf /var/lib/sssd/{db,mc}/*; service sssd start ipa hbacrule-add hbacrule_05 --hostcat=all ipa hbacrule-add-service hbacrule_05 --hbacsvcs=sshd ipa hbacrule-add-user hbacrule_05 --groups=hbacgroup ipa hbacrule-disable allow_all On client : 1. ssh -l "aduser1.test" client.ipa.test "echo 'login successful'" Actual results: [root@client ~]# ssh -l "aduser1.test" client.ipa.test "echo 'login successful'" Password: Connection closed by UNKNOWN port 65535 Expected results: ssh login should be successful. Or hbacrule should be applied successfully.