Bug 1135432 - Dereference code errors out when dereferencing entries protected by ACIs
Summary: Dereference code errors out when dereferencing entries protected by ACIs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 1135433
TreeView+ depends on / blocked
 
Reported: 2014-08-29 09:55 UTC by Jakub Hrozek
Modified: 2019-07-11 08:09 UTC (History)
6 users (show)

Fixed In Version: sssd-1.12.4-1.el6
Doc Type: Bug Fix
Doc Text:
Do not document.
Clone Of:
: 1135433 (view as bug list)
Environment:
Last Closed: 2015-07-22 06:41:30 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1448 normal SHIPPED_LIVE sssd bug fix and enhancement update 2015-07-20 18:43:53 UTC

Description Jakub Hrozek 2014-08-29 09:55:42 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2421

The dereference code currently fails completely when processing initgroups of an IPA user who is a member of some Role or linked to a Permission against a new (4.0) IPA server.

This is because in 4.0, IPA switched to a different permission model that no longer allows the host principal to read the rbac and pbac containers. The current dereference code errors out when it can't read even the objectclass of an entry.

This bug could be also triggered outside IPA, just by restricting the ACI on the linked entry.

Comment 1 Jakub Hrozek 2014-09-08 17:31:28 UTC
master:
    2284e50c801a53541016eb9a5af00d1250d36afb
    0321da68a393943797ea8cb9eb5e9672431ff8f4 
sssd-1-11:
    ffe42e0158df6e4b2aad91e9a0cd75aff05be8c4

Comment 3 Kaushik Banerjee 2015-06-17 16:45:08 UTC
Verified with sssd-1.12.4-46.el6.x86_64

On IPA Server(RHEL7.1), run:
ipa permission-add test --attrs entryusn --right read --bindtype all --subtree "dc=testrelm,dc=test"

On IPA Client(RHEL6.7):
[domain/testrelm.test]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = testrelm.test
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = dhcp207-169.lab.eng.pnq.redhat.com
chpass_provider = ipa
ipa_server = _srv_, dhcp207-70.testrelm.test
dns_discovery_domain = testrelm.test
ldap_deref_threshold=1

# id testuser1
uid=1578200012(testuser1) gid=1578200012(testuser1) groups=1578200012(testuser1),1578200005(testgroup4),1578200009(testgroup8),1578200004(testgroup3),1578200008(testgroup7),1578200003(testgroup2),1578200007(testgroup6),1578200001(testgroup1),1578200006(testgroup5),1578200010(testgroup9),1578200011(testgroup10)

Comment 5 errata-xmlrpc 2015-07-22 06:41:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1448.html


Note You need to log in before you can comment on or make changes to this bug.