Bug 878480

Summary: Lookup user SIDs in external groups
Product: Red Hat Enterprise Linux 6 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.4CC: mkosek, sbose, sgoveas, tlavigne
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.0.0-10.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:30:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 886216    

Description Dmitri Pal 2012-11-20 14:21:41 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3257

Currently only the group SIDs from a PAC are used to find out about the
membership in local groups. The user SID should be used as well.
Comment 1 Namita Soman 2012-11-20 19:29:23 UTC 
Please provide steps to reproduce and verify this bug
Comment 2 Sumit Bose 2012-11-20 20:00:15 UTC 
- Create an external group 'ipa group-add --external ext_user_test'
- Add user or user SID to the external group 'ipa group-add-member ext_user_test --external S-1-5-21-.....'
- Create local group 'ipa group-add loc_user_test'
- Add external group to local group 'ipa group-add-member loc_user_test --groups=ext_user_test'
- create HBAC rule 'ipa hbacrule-add user_test'
- set some defaults e.g. 'ipa hbacrule-mod --hostcat=all --servicecat=all user_test'
- add local group 'ipa hbacrule-add-user --groups=loc_user_test'
- make sure allow_all is disabled 'ipa hbacrule-disable allow_all'
- try to log in e.g. with ssh as the AD user
Comment 3 Rob Crittenden 2012-11-30 21:40:56 UTC 
Fixed upstream.

master: c5e055ae00a2f4a41df4bdcbc95e81d771a4f8cf

ipa-3-0: 22c752c230049985cdf9490a96c901d80c3d41c0
Comment 6 Steeve Goveas 2013-01-31 09:17:57 UTC 
[root@ibm-x3500m4-01 ~]# ipa group-add --desc='test group for bug 878480' --external ext_user_test
---------------------------
Added group "ext_user_test"
---------------------------
  Group name: ext_user_test
  Description: test group for bug 878480

[root@ibm-x3500m4-01 ~]# ipa group-add-member ext_user_test --external "ADLAB\adtestuser1"
[member user]: 
[member group]: 
  Group name: ext_user_test
  Description: test group for bug 878480
  External member: S-1-5-21-3655990580-1375374850-1633065477-1178
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3500m4-01 ~]# ipa group-add loc_user_test
Description: local test group for bug 878480
---------------------------
Added group "loc_user_test"
---------------------------
  Group name: loc_user_test
  Description: local test group for bug 878480
  GID: 520800006

[root@ibm-x3500m4-01 ~]# ipa group-add-member loc_user_test --groups=ext_user_test
  Group name: loc_user_test
  Description: local test group for bug 878480
  GID: 520800006
  Member groups: ext_user_test
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3500m4-01 ~]# ipa hbacrule-add user_test
---------------------------
Added HBAC rule "user_test"
---------------------------
  Rule name: user_test
  Enabled: TRUE

[root@ibm-x3500m4-01 ~]# ipa hbacrule-mod --hostcat=all --servicecat=all user_test
------------------------------
Modified HBAC rule "user_test"
------------------------------
  Rule name: user_test
  Host category: all
  Service category: all
  Enabled: TRUE

[root@ibm-x3500m4-01 ~]# ipa hbacrule-add-user --groups=loc_user_test user_test
  Rule name: user_test
  Host category: all
  Service category: all
  Enabled: TRUE
  User Groups: loc_user_test
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3500m4-01 ~]# ipa hbacrule-disable allow_all
------------------------------
Disabled HBAC rule "allow_all"
------------------------------

[root@ibm-x3500m4-01 ~]# ipa hbacrule-find
--------------------
2 HBAC rules matched
--------------------
  Rule name: allow_all
  User category: all
  Host category: all
  Source host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: FALSE

  Rule name: user_test
  Host category: all
  Service category: all
  Enabled: TRUE
  User Groups: loc_user_test
----------------------------
Number of entries returned 2
----------------------------

* Aduser login to server works

[root@dell-pe1950-03 ~]# ssh -l adtestuser1 ibm-x3500m4-01.testrelm.com
adtestuser1@ibm-x3500m4-01.testrelm.com's password: 
Your password will expire in 8991 day(s).
Last login: Wed Jan 30 18:41:25 2013 from ibm-x3500m4-01.testrelm.com
Could not chdir to home directory /home/adlab.qe/adtestuser1: No such file or directory
-sh-4.1$ id
uid=1979001178(adtestuser1) gid=1979001178(adtestuser1) groups=1979001178(adtestuser1),520800004(ad_users),520800006(loc_user_test),1979000513(domain users),1979001150(adgroup1),1979001151(adgroup2) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ logout
Connection to ibm-x3500m4-01.testrelm.com closed.

* Other users were not able to login

[root@dell-pe1950-03 ~]# ssh -l adtestuser2 ibm-x3500m4-01.testrelm.com
adtestuser2@ibm-x3500m4-01.testrelm.com's password: 
Your password will expire in 8991 day(s).
Connection closed by UNKNOWN

[root@dell-pe1950-03 ~]# ssh -l fuser ibm-x3500m4-01.testrelm.com
fuser@ibm-x3500m4-01.testrelm.com's password: 
Your password will expire in 41 day(s).
Connection closed by UNKNOWN


* Logs for failed logins
==> /var/log/secure <==
Jan 31 03:45:45 ibm-x3500m4-01 sshd[16215]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=dell-pe1950-03.testrelm.com  user=adtestuser2
Jan 31 03:45:48 ibm-x3500m4-01 sshd[16215]: pam_sss(sshd:auth): User info message: Your password will expire in 8991 day(s).
Jan 31 03:45:48 ibm-x3500m4-01 sshd[16215]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=dell-pe1950-03.testrelm.com user=adtestuser2
Jan 31 03:45:48 ibm-x3500m4-01 sshd[16215]: pam_sss(sshd:account): Access denied for user adtestuser2: 6 (Permission denied)
Jan 31 03:45:48 ibm-x3500m4-01 sshd[16215]: Failed password for adtestuser2 from 10.34.35.54 port 49994 ssh2
Jan 31 03:45:48 ibm-x3500m4-01 sshd[16216]: fatal: Access denied for user adtestuser2 by PAM account configuration

==> /var/log/secure <==
Jan 31 03:46:51 ibm-x3500m4-01 sshd[16221]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=dell-pe1950-03.testrelm.com  user=fuser
Jan 31 03:46:53 ibm-x3500m4-01 sshd[16221]: pam_sss(sshd:auth): User info message: Your password will expire in 41 day(s).
Jan 31 03:46:53 ibm-x3500m4-01 sshd[16221]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=dell-pe1950-03.testrelm.com user=fuser
Jan 31 03:46:53 ibm-x3500m4-01 sshd[16221]: pam_sss(sshd:account): Access denied for user fuser: 6 (Permission denied)
Jan 31 03:46:53 ibm-x3500m4-01 sshd[16221]: Failed password for fuser from 10.34.35.54 port 49995 ssh2
Jan 31 03:46:53 ibm-x3500m4-01 sshd[16222]: fatal: Access denied for user fuser by PAM account configuration
Comment 8 errata-xmlrpc 2013-02-21 09:30:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html