Bug 965760

Summary:	realmd permit --all should remove simple_allow_users from sssd.conf
Product:	[Fedora] Fedora	Reporter:	Patrik Kis <pkis>
Component:	realmd	Assignee:	Stef Walter <stefw>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	19	CC:	jhrozek, stefw, yelley
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	realmd-0.14.2-1.fc19	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:
Clones:	967030 (view as bug list)		Environment:
Last Closed:	2013-06-06 02:25:41 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	959458, 967030

Description Patrik Kis 2013-05-21 16:40:49 UTC

Description of problem:
realmd can be fooled by combination of permit user and permit -all

Version-Release number of selected component (if applicable):
realmd-0.14.1-1.fc19

How reproducible:
always

Steps to Reproduce:

[root@pkis ~]# realm list
ad.baseos.qe
  type: kerberos
  realm-name: AD.BASEOS.QE
  domain-name: ad.baseos.qe
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd
  required-package: adcli
  required-package: samba-common
  login-formats: %U.qe
  login-policy: allow-realm-logins
[root@pkis ~]# cat /etc/sssd/sssd.conf 

[sssd]
domains = ad.baseos.qe
config_file_version = 2
services = nss, pam

[nss]
default_shell = /bin/bash

[domain/ad.baseos.qe]
ad_domain = ad.baseos.qe
krb5_realm = AD.BASEOS.QE
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
[root@pkis ~]# 
[root@pkis ~]# 
[root@pkis ~]# realm -v permit Amy.qe
 * /usr/bin/systemctl restart sssd.service
 * Successfully changed permitted logins for realm
[root@pkis ~]# cat /etc/sssd/sssd.conf 

[sssd]
domains = ad.baseos.qe
config_file_version = 2
services = nss, pam

[nss]
default_shell = /bin/bash

[domain/ad.baseos.qe]
ad_domain = ad.baseos.qe
krb5_realm = AD.BASEOS.QE
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = simple
simple_allow_users = amy
[root@pkis ~]# 
[root@pkis ~]# realm -v permit --all
 * /usr/bin/systemctl restart sssd.service
 * Successfully changed permitted logins for realm
[root@pkis ~]# cat /etc/sssd/sssd.conf 

[sssd]
domains = ad.baseos.qe
config_file_version = 2
services = nss, pam

[nss]
default_shell = /bin/bash

[domain/ad.baseos.qe]
ad_domain = ad.baseos.qe
krb5_realm = AD.BASEOS.QE
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
simple_allow_users = amy
[root@pkis ~]# realm list
ad.baseos.qe
  type: kerberos
  realm-name: AD.BASEOS.QE
  domain-name: ad.baseos.qe
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd
  required-package: adcli
  required-package: samba-common
  login-formats: %U.qe
  login-policy: allow-realm-logins
[root@pkis ~]# 
[root@pkis ~]# realm -v permit Bender.qe
 * /usr/bin/systemctl restart sssd.service
 * Successfully changed permitted logins for realm
[root@pkis ~]# realm list
ad.baseos.qe
  type: kerberos
  realm-name: AD.BASEOS.QE
  domain-name: ad.baseos.qe
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd
  required-package: adcli
  required-package: samba-common
  login-formats: %U.qe
  login-policy: allow-permitted-logins
  permitted-logins: amy.qe, bender.qe
  permitted-groups: 
[root@pkis ~]# cat /etc/sssd/sssd.conf 

[sssd]
domains = ad.baseos.qe
config_file_version = 2
services = nss, pam

[nss]
default_shell = /bin/bash

[domain/ad.baseos.qe]
ad_domain = ad.baseos.qe
krb5_realm = AD.BASEOS.QE
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = simple
simple_allow_users = amy, bender
[root@pkis ~]# 

Actual result:
Here one would expect that only Bender is allowed.

Expected result:
Last permit should allow only Bender.

Comment 1 Stef Walter 2013-05-24 10:53:03 UTC

Patch available upstream.

Comment 2 Fedora Update System 2013-05-27 12:07:33 UTC

realmd-0.14.2-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/realmd-0.14.2-1.fc19

Comment 3 Fedora Update System 2013-05-27 17:01:24 UTC

Package realmd-0.14.2-1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing realmd-0.14.2-1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-9364/realmd-0.14.2-1.fc19
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2013-06-06 02:25:41 UTC

realmd-0.14.2-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.