Bug 878480
Summary: | Lookup user SIDs in external groups | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Dmitri Pal <dpal> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 6.4 | CC: | mkosek, sbose, sgoveas, tlavigne |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-3.0.0-10.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 09:30:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 886216 |
Description
Dmitri Pal
2012-11-20 14:21:41 UTC
Please provide steps to reproduce and verify this bug - Create an external group 'ipa group-add --external ext_user_test' - Add user or user SID to the external group 'ipa group-add-member ext_user_test --external S-1-5-21-.....' - Create local group 'ipa group-add loc_user_test' - Add external group to local group 'ipa group-add-member loc_user_test --groups=ext_user_test' - create HBAC rule 'ipa hbacrule-add user_test' - set some defaults e.g. 'ipa hbacrule-mod --hostcat=all --servicecat=all user_test' - add local group 'ipa hbacrule-add-user --groups=loc_user_test' - make sure allow_all is disabled 'ipa hbacrule-disable allow_all' - try to log in e.g. with ssh as the AD user Fixed upstream. master: c5e055ae00a2f4a41df4bdcbc95e81d771a4f8cf ipa-3-0: 22c752c230049985cdf9490a96c901d80c3d41c0 [root@ibm-x3500m4-01 ~]# ipa group-add --desc='test group for bug 878480' --external ext_user_test --------------------------- Added group "ext_user_test" --------------------------- Group name: ext_user_test Description: test group for bug 878480 [root@ibm-x3500m4-01 ~]# ipa group-add-member ext_user_test --external "ADLAB\adtestuser1" [member user]: [member group]: Group name: ext_user_test Description: test group for bug 878480 External member: S-1-5-21-3655990580-1375374850-1633065477-1178 ------------------------- Number of members added 1 ------------------------- [root@ibm-x3500m4-01 ~]# ipa group-add loc_user_test Description: local test group for bug 878480 --------------------------- Added group "loc_user_test" --------------------------- Group name: loc_user_test Description: local test group for bug 878480 GID: 520800006 [root@ibm-x3500m4-01 ~]# ipa group-add-member loc_user_test --groups=ext_user_test Group name: loc_user_test Description: local test group for bug 878480 GID: 520800006 Member groups: ext_user_test ------------------------- Number of members added 1 ------------------------- [root@ibm-x3500m4-01 ~]# ipa hbacrule-add user_test --------------------------- Added HBAC rule "user_test" --------------------------- Rule name: user_test Enabled: TRUE [root@ibm-x3500m4-01 ~]# ipa hbacrule-mod --hostcat=all --servicecat=all user_test ------------------------------ Modified HBAC rule "user_test" ------------------------------ Rule name: user_test Host category: all Service category: all Enabled: TRUE [root@ibm-x3500m4-01 ~]# ipa hbacrule-add-user --groups=loc_user_test user_test Rule name: user_test Host category: all Service category: all Enabled: TRUE User Groups: loc_user_test ------------------------- Number of members added 1 ------------------------- [root@ibm-x3500m4-01 ~]# ipa hbacrule-disable allow_all ------------------------------ Disabled HBAC rule "allow_all" ------------------------------ [root@ibm-x3500m4-01 ~]# ipa hbacrule-find -------------------- 2 HBAC rules matched -------------------- Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: FALSE Rule name: user_test Host category: all Service category: all Enabled: TRUE User Groups: loc_user_test ---------------------------- Number of entries returned 2 ---------------------------- * Aduser login to server works [root@dell-pe1950-03 ~]# ssh -l adtestuser1 ibm-x3500m4-01.testrelm.com adtestuser1@ibm-x3500m4-01.testrelm.com's password: Your password will expire in 8991 day(s). Last login: Wed Jan 30 18:41:25 2013 from ibm-x3500m4-01.testrelm.com Could not chdir to home directory /home/adlab.qe/adtestuser1: No such file or directory -sh-4.1$ id uid=1979001178(adtestuser1) gid=1979001178(adtestuser1) groups=1979001178(adtestuser1),520800004(ad_users),520800006(loc_user_test),1979000513(domain users),1979001150(adgroup1),1979001151(adgroup2) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.1$ logout Connection to ibm-x3500m4-01.testrelm.com closed. * Other users were not able to login [root@dell-pe1950-03 ~]# ssh -l adtestuser2 ibm-x3500m4-01.testrelm.com adtestuser2@ibm-x3500m4-01.testrelm.com's password: Your password will expire in 8991 day(s). Connection closed by UNKNOWN [root@dell-pe1950-03 ~]# ssh -l fuser ibm-x3500m4-01.testrelm.com fuser@ibm-x3500m4-01.testrelm.com's password: Your password will expire in 41 day(s). Connection closed by UNKNOWN * Logs for failed logins ==> /var/log/secure <== Jan 31 03:45:45 ibm-x3500m4-01 sshd[16215]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=dell-pe1950-03.testrelm.com user=adtestuser2 Jan 31 03:45:48 ibm-x3500m4-01 sshd[16215]: pam_sss(sshd:auth): User info message: Your password will expire in 8991 day(s). Jan 31 03:45:48 ibm-x3500m4-01 sshd[16215]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=dell-pe1950-03.testrelm.com user=adtestuser2 Jan 31 03:45:48 ibm-x3500m4-01 sshd[16215]: pam_sss(sshd:account): Access denied for user adtestuser2: 6 (Permission denied) Jan 31 03:45:48 ibm-x3500m4-01 sshd[16215]: Failed password for adtestuser2 from 10.34.35.54 port 49994 ssh2 Jan 31 03:45:48 ibm-x3500m4-01 sshd[16216]: fatal: Access denied for user adtestuser2 by PAM account configuration ==> /var/log/secure <== Jan 31 03:46:51 ibm-x3500m4-01 sshd[16221]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=dell-pe1950-03.testrelm.com user=fuser Jan 31 03:46:53 ibm-x3500m4-01 sshd[16221]: pam_sss(sshd:auth): User info message: Your password will expire in 41 day(s). Jan 31 03:46:53 ibm-x3500m4-01 sshd[16221]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=dell-pe1950-03.testrelm.com user=fuser Jan 31 03:46:53 ibm-x3500m4-01 sshd[16221]: pam_sss(sshd:account): Access denied for user fuser: 6 (Permission denied) Jan 31 03:46:53 ibm-x3500m4-01 sshd[16221]: Failed password for fuser from 10.34.35.54 port 49995 ssh2 Jan 31 03:46:53 ibm-x3500m4-01 sshd[16222]: fatal: Access denied for user fuser by PAM account configuration Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html |