Bug 1068723
| Summary: | Setting int option to 0 yields the default value | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Hrozek <jhrozek> |
| Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Kaushik Banerjee <kbanerje> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 | CC: | dpal, grajaiya, jgalipea, jhrozek, jpazdziora, lslebodn, mkosek, nsoman, pbrezina, preichl |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.11.2-47.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 10:04:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jakub Hrozek
2014-02-21 18:21:31 UTC
Please add steps to set up, reproduce and verify this issue. (In reply to Jenny Galipeau from comment #1) > Please add steps to set up, reproduce and verify this issue. Jan Pazdziora has an automated script that you can use easily. The rough steps to reproduce are: 0) Set up IPA client. On the server, set up a rule that would allow access. 1) In sssd.conf, set ipa_hbac_refresh=0. Restart SSSD. 2) Attempt to log in. This time the login should succeed. 3) Change the rule on the server to not match or disable it. 4) Log in again. Since refresh is timeout is set to 0 seconds, you'd expect SSSD do fetch the updated rule and deny access. But because of the bug, the default timeout of 5 seconds would be used and the cached (allow) rule would be used. The trick is to make 2) - 4) happen faster than the default 5 seconds timeout, so using a script might make more sense. Fixed upstream:
master:
90afedb00608547ae1f32aa7aafd552c4b306909
ddd21d5dc3c89712d9286d1f66f4b2af73651cf2
sssd-1-11:
802220cc4ef437d8f169c51c7ce073a51f507b92
d07cb60c1f4b9a7e1618b50ca2fc817298e5db12
Can reproduce the issue in old client, but still seeing issue in new client. Env: Using a master with sssd-1.11.2-58.el7.x86_64. Added the setting ipa_hbac_refresh=0 to sssd.conf and restarted sssd. Two clients are added to this master: nocp12.testrelm.test with sssd-1.11.2-58.el7.x86_64 blade05.testrelm.test with sssd-1.11.2-42.el7.x86_64 Steps taken on master (all this in a script as suggested above to be able to test faster than the default 5 seconds timeout): # ipa hbacrule-disable allow_all # echo one | ipa user-add one --first=one --last=one --password # ipa passwd one # kinit one # kinit admin # ipa hostgroup-add testhostgrp --desc=testhostgrp # ipa hostgroup-add-member testhostgrp --hosts=nocp12.testrelm.test # ipa hbacrule-add rule1068723 # ipa hbacrule-add-service rule1068723 --hbacsvcs=sshd # ipa hbacrule-add-user rule1068723 --users=one # ipa hbacrule-add-host rule1068723 --hostgroups=testhostgrp # ipa hbacrule-show rule1068723 # kinit one # ssh -q -o StrictHostKeyChecking=no -l one nocp12.testrelm.test echo 'login successful' logged in successfully # kinit admin # ipa hbacrule-remove-user rule1068723 --users=one # kinit one # ssh -q -o StrictHostKeyChecking=no -l one nocp12.testrelm.test echo 'login successful' Actual results: logged in successfully Expected results: user one should not be allowed to log in Added sleep 5 before the last ssh, and user one was denied access Looks like caching still happens with value set to 0 or should a different sequence of steps be used? (In reply to Namita Soman from comment #7) > Can reproduce the issue in old client, but still seeing issue in new client. > > Env: > Using a master with sssd-1.11.2-58.el7.x86_64. > Added the setting ipa_hbac_refresh=0 to sssd.conf and restarted sssd. HBAC rules are evaluated on client. "ipa_hbac_refresh=0" should be added to sssd.conf on clients and not on the machine where ipa-server is installed. > Two clients are added to this master: > nocp12.testrelm.test with sssd-1.11.2-58.el7.x86_64 > blade05.testrelm.test with sssd-1.11.2-42.el7.x86_64 > Verified using sssd-1.11.2-58.el7.x86_64 Output from automated script: ---------------- Added user "one" ---------------- User login: one First name: one Last name: one Full name: one one Display name: one one Initials: oo Home directory: /home/one GECOS: one one Login shell: /bin/sh Kerberos principal: one Email address: one UID: 858800054 GID: 858800054 Password: True Member of groups: ipausers Kerberos keys available: True New Password: Enter New Password again to verify: ---------------------------------------- Changed password for "one" ---------------------------------------- Password for one: Password expired. You must change it now. Enter new password: Enter it again: Password mismatch. Please try again. Enter new password: Enter it again: Password for admin: ----------------------------- Added hostgroup "testhostgrp" ----------------------------- Host-group: testhostgrp Description: testhostgrp Host-group: testhostgrp Description: testhostgrp Member hosts: nocp12.testrelm.test ------------------------- Number of members added 1 ------------------------- ----------------------------- Added HBAC rule "rule1068723" ----------------------------- Rule name: rule1068723 Enabled: TRUE Rule name: rule1068723 Enabled: TRUE Services: sshd ------------------------- Number of members added 1 ------------------------- Rule name: rule1068723 Enabled: TRUE Users: one Services: sshd ------------------------- Number of members added 1 ------------------------- Rule name: rule1068723 Enabled: TRUE Users: one Host Groups: testhostgrp Services: sshd ------------------------- Number of members added 1 ------------------------- Rule name: rule1068723 Enabled: TRUE Users: one Host Groups: testhostgrp Services: sshd Password for one: Could not chdir to home directory /home/one: No such file or directory login successful Password for admin: Rule name: rule1068723 Enabled: TRUE Host Groups: testhostgrp Services: sshd --------------------------- Number of members removed 1 --------------------------- Password for one: ...and user one did not get the "login successful" here. Verified rule wasn't cached This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |