Bug 2196521

Summary: [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy
Product: Red Hat Enterprise Linux 8 Reporter: Rakesh Kumar <rakkumar>
Component: sssdAssignee: Sumit Bose <sbose>
Status: VERIFIED --- QA Contact: Dan Lavu <dlavu>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.6CC: aboscatt, atikhono, pbrezina, sbose, sgadekar
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-2.9.1-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rakesh Kumar 2023-05-09 11:53:13 UTC
Description of problem:AD user login problem when modify ldap_user_name= name and restricted by GPO Policy
-----------------------------------------------------------
In
'ad_gpo_connect_done()' SSSD should not use
'state->opts->user_map[SDAP_AT_USER_NAME].name' in the search filter but
hardcoded 'sAMAccountName' to make sure that the sAMAccountName of the
host is searched with this attribute name. 
-------------------------------------------------------------------------

Version-Release number of selected component (if applicable):

rhel8.6
sssd-ad-2.4.0-9.el8_4.2.x86_64
sssd-ad-2.6.2-4.el8_6.1.x86_64

How reproducible:
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): domain: example.systest.sanpaoloimi.
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): user: rakkumar.
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): service: sshd
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): tty: ssh
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): ruser:
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): rhost: 192.168.160.60
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): authtok type: 0 (No authentication token available)
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): newauthtok type: 0 (No authentication token available)
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): priv: 1
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): cli_pid: 1194471
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): logon name: not set
(2023-04-26 14:48:48): [be[example.systest.]] [pam_print_data] (0x0100): flags: 0
(2023-04-26 14:48:48): [be[example.systest.]] [dp_attach_req] (0x0400): [RID#20] DP Request [PAM Account #20]: REQ_TRACE: New request. [sssd.pam CID #1] Flags [0000].
(2023-04-26 14:48:48): [be[example.systest.]] [dp_attach_req] (0x0400): [RID#20] Number of active DP request: 1
(2023-04-26 14:48:48): [be[example.systest.]] [sss_domain_get_state] (0x1000): [RID#20] Domain example.systest.sanpaoloimi. is Active
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_access_send] (0x0400): [RID#20] Performing access check for user [rakkumar.]
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_account_expired_ad] (0x0400): [RID#20] Performing AD access check for user [rakkumar.]
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_account_expired_ad] (0x4000): [RID#20] User account control for user [rakkumar.] is [200].
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_account_expired_ad] (0x4000): [RID#20] Expiration time for user [rakkumar.] is [133325568000000000].
(2023-04-26 14:48:48): [be[example.systest.]] [ad_gpo_access_send] (0x0400): [RID#20] service sshd maps to Remote Interactive
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_id_op_connect_step] (0x4000): [RID#20] reusing cached connection
(2023-04-26 14:48:48): [be[example.systest.]] [ad_gpo_connect_done] (0x4000): [RID#20] server_hostname from uri: example.example.systest.
(2023-04-26 14:48:48): [be[example.systest.]] [ad_gpo_connect_done] (0x0400): [RID#20] sam_account_name is SALCLT110$
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_print_server] (0x2000): [RID#20] Searching 10.248.28.2:389
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_get_generic_ext_step] (0x0400): [RID#20] calling ldap_search_ext with [(&(objectclass=user)(name=[dc=example,dc=
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_get_generic_ext_step] (0x1000): [RID#20] Requesting attrs: [distinguishedName]
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_get_generic_ext_step] (0x1000): [RID#20] Requesting attrs: [userAccountControl]
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_get_generic_ext_step] (0x2000): [RID#20] ldap_search_ext called, msgid = 46
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_op_add] (0x2000): [RID#20] New operation 46 timeout 6
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_process_result] (0x2000): Trace: sh[0x561baf727230], connected[1], ops[0x561baf785260], ldap[0x561baf73c170]
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_process_message] (0x4000): [RID#20] Message type: [LDAP_RES_SEARCH_REFERENCE]


(2023-04-26 14:48:48): [be[example.systest.]] [generic_ext_search_handler] (0x4000): [RID#20]     Ref: ldap://DomainDnsZones.example.
(2023-04-26 14:48:48): [be[example.systest.]] [ad_gpo_target_dn_retrieval_
(2023-04-26 14:48:48): [be[example.systest.]] [sdap_id_op_destroy] (0x4000): [RID#20] releasing operation connection
(2023-04-26 14:48:48): [be[example.systest.]] [ad_gpo_access_done] (0x0040): [RID#20] GPO-based access control failed.
(2023-04-26 14:48:48): [be[example.systest.]] [dp_req_done] (0x0400): [RID#20] DP Request [PAM Account #20]: Request handler finished [0]: Success
(2023-04-26 14:48:48): [be[example.systest.]] [_dp_req_recv] (0x0400): [RID#20] DP Request [PAM Account #20]: Receiving request data.
(2023-04-26 14:48:48): [be[example.systest.]] [dp_req_destructor] (0x0400): [RID#20] DP Request [PAM Account #20]: Request removed.
(2023-04-26 14:48:48): [be[example.systest.]] [dp_req_destructor] (0x0400): [RID#20] Number of active DP request: 0
(2023-04-26 14:48:48): [be[example.systest.]] [dp_method_enabled] (0x0400): [RID#20] Target selinux is not configured

Note: Note: when we are using "ldap_user_name = sAMAccountName" Test passed and there is no restriction from gpo policy end.


But when we are using ""ldap_user_name = name" Test Failed

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
while using "ldap_user_name = name" in sssd.conf , active directory user should authenticate on linux client system.



Additional info:

Comment 4 Alexey Tikhonov 2023-06-07 15:05:50 UTC
Upstream PR: https://github.com/SSSD/sssd/pull/6767

Comment 5 Alexey Tikhonov 2023-06-19 18:47:08 UTC
Pushed PR: https://github.com/SSSD/sssd/pull/6767

* `master`
    * 67c11c2ebae843f7ddd6b857efa2e1f6449986f3 - ad: use sAMAccountName to lookup hosts
* `sssd-2-9`
    * 5008f0f9286e6c07fb8cbf4e6c021b74d712a28c - ad: use sAMAccountName to lookup hosts