Bug 2029419

Summary: 'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected
Product: Red Hat Enterprise Linux 9 Reporter: Alexey Tikhonov <atikhono>
Component: sssdAssignee: jstephen
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: grajaiya, jhrozek, lslebodn, mzidek, pbrezina, sgoveas, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.6.1-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 16:00:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexey Tikhonov 2021-12-06 13:12:48 UTC 
This bug was initially created as a copy of Bug #1968340

I am copying this bug because: to track fix for RHEL9



Description of problem:
'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected 


Version-Release number of selected component (if applicable):
rhel-system-roles-1.0.1-1.el8.noarch
tlog-9-2.el8.x86_64
sssd-2.4.0-9.el8.x86_64


How reproducible:
Always


Steps to Reproduce:
1. Configure session recording in RHEL 8.4 as per https://access.redhat.com/solutions/4068941
2. Confirm if sessions are correctly being logged by tlog as expected. 
3. Configure /etc/sssd/conf.d/sssd-session-recording.conf file to exclude members of an AD group from being recorded by tlog.
---
[session_recording]
scope=all
exclude_groups=adgroup
---
4. Check again if sessions for the members of excluded AD group are recorded or not.


Actual results:
Session for members of excluded AD group are recorded by tlog.


Expected results:
Session recording for members of excluded AD group should be skipped by tlog.

Additional info:
exclude_groups support was added in sssd as part of BZ https://bugzilla.redhat.com/show_bug.cgi?id=1895472 with ERRATA https://bugzilla.redhat.com/show_bug.cgi?id=1895472
rhel-system-roles-1.0.1-1.el8.noarch.rpm
Comment 1 Alexey Tikhonov 2021-12-06 13:15:46 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/5829

* `master`
    * 232ba7f0dcc2ee104c881bc3406f4dda3de86216 - DP: Resolve intermediate groups prior to SR overlay
Comment 9 errata-xmlrpc 2022-05-17 16:00:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: sssd), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:4015