Bug 696972

Summary: [REGRESSION] Filters not honoured against fully-qualified users.
Product: Red Hat Enterprise Linux 6 Reporter: Gowrishankar Rajaiyan <grajaiya>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1CC: benl, dpal, grajaiya, jgalipea, kbanerje, prc, syeghiay
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.5.1-30.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 696979 (view as bug list) Environment:
Last Closed: 2011-05-19 11:39:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 696979    

Description Gowrishankar Rajaiyan 2011-04-15 13:05:46 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
sssd-1.5.1-28.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Use "filter_users = root, puser1" in sssd.conf (see Additional info for sssd.conf)
2. restart sssd clearing cache.
3. getent -s sss passwd puser1
	- enumeration fails as expected.
4. getent -s sss passwd puser1@LDAP
	- enumeration succeeds, not as expected.
5. # ssh -l puser1 localhost 
puser1@localhost's password: 
Permission denied, please try again, as expected

6. # ssh -l puser1@LDAP localhost uname -a
puser1@LDAP@localhost's password: 
id: cannot find name for group ID 1001
id: cannot find name for user ID 1001
Linux gsr.redhat.com 2.6.32-122.el6.x86_64 #1 SMP Wed Mar 9 23:54:34 EST 2011 x86_64 x86_64 x86_64 GNU/Linux

  
Actual results:
- Authentication successful and remote command executed successfully.

Expected results:
- Permission denied as the user is filtered out.

Additional info:

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = LDAP

[nss]
filter_groups = root, Group1
filter_users = root, puser1
reconnection_retries = 3
debug_level = 9

[pam]
reconnection_retries = 3
debug_level = 9

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://sssdldap.redhat.com:636
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc
ldap_group_nesting_level = 4
cache_credentials = true
enumerate = false
debug_level = 9
ldap_default_bind_dn = cn=Directory Manager
ldap_default_authtok_type = password
ldap_default_authtok = Secret123
Comment 5 Gowrishankar Rajaiyan 2011-04-18 12:36:13 UTC 
Relevant sssd.conf section:
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://sssdldap.redhat.com:636
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc
ldap_group_nesting_level = 4
cache_credentials = true
enumerate = false
debug_level = 9
ldap_default_bind_dn = cn=Directory Manager
ldap_default_authtok_type = password
ldap_default_authtok = Secret123
filter_groups = root, Group1
filter_users = root, puser1

# getent -s sss passwd puser1@LDAP
# getent group Group1@LDAP
#

User not enumerated, as expected.

# ssh -l puser1@LDAP localhost uname -a
puser1@LDAP@localhost's password: 
Permission denied, please try again.


/var/log/sssd/sssd_nss.log:
(Mon Apr 18 17:57:55 2011) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [puser1] from [LDAP]
(Mon Apr 18 17:57:55 2011) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/LDAP/puser1]
(Mon Apr 18 17:57:55 2011) [sssd[nss]] [nss_cmd_getpwnam_search] (2): User [puser1] does not exist in [LDAP]! (negative cache)
(Mon Apr 18 17:57:55 2011) [sssd[nss]] [client_recv] (5): Client disconnected!

# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 30.el6                        Build Date: Fri 15 Apr 2011 09:37:47 PM IST
Install Date: Mon 18 Apr 2011 05:36:41 PM IST      Build Host: x86-005.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-30.el6.src.rpm
Size        : 3464053                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 6 errata-xmlrpc 2011-05-19 11:39:25 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html
Comment 7 errata-xmlrpc 2011-05-19 13:04:01 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html