Red Hat Bugzilla – Bug 1172598
Access is not rejected for disabled domain
Last modified: 2015-09-23 11:27:58 EDT
+++ This bug was initially created as a clone of Bug #1170300 +++ Description of problem: This is a regression of bz1070924 Version-Release number of selected component (if applicable): ipa-server-4.1.0-10.el7.x86_64 How reproducible: Steps to Reproduce: 1. Setup trust with AD having a child domain 2. Disable child domain trust 3. ssh as user from child AD domain Actual results: [root@vm-idm-032 ~]# ssh -l "aduser1@pune.adtest.qe" $(hostname) "echo 'login successful'" aduser1@pune.adtest.qe@vm-idm-032.steeve0312.test's password: login successful [root@vm-idm-032 ~]# ipa trustdomain-disable adtest.qe pune.adtest.qe -------------------------------------- Disabled trust domain "pune.adtest.qe" -------------------------------------- [root@vm-idm-032 ~]# ipa trustdomain-find adtest.qe Domain name: adtest.qe Domain NetBIOS name: ADTEST Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879 Domain enabled: True Domain name: pune.adtest.qe Domain NetBIOS name: PUNE Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112 Domain enabled: False ---------------------------- Number of entries returned 2 ---------------------------- [root@vm-idm-032 ~]# ipa trust-show adtest.qe --all | grep S-1-5-21-91314187-2404433721-1858927112 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-21-91314187-2404433721-1858927112, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 [root@vm-idm-032 ~]# sleep 90 ; ssh -l "aduser1@pune.adtest.qe" $(hostname) "echo 'login successful'" aduser1@pune.adtest.qe@vm-idm-032.steeve0312.test's password: login successful [root@vm-idm-032 ~]# sleep 30 ; ssh -l "aduser1@pune.adtest.qe" $(hostname) "echo 'login successful'" aduser1@pune.adtest.qe@vm-idm-032.steeve0312.test's password: login successful Expected results: Access should be rejected for AD user from disabled domain Additional info: ... --- Additional comment from Petr Vobornik on 2014-12-04 03:51:42 EST --- Upstream ticket: https://fedorahosted.org/freeipa/ticket/4788
This Bugzilla is to provide better error code in this scenario (and return POLICY error to be precise)
How to test: - disable a domain from a trusted forest - call kinit with a principal of a user from the disabled domain (this will work because kinit will talk to the DC of the domain directly) - try to get a Kerberos service ticket for an IPA server, e.g. kvno ldap/ipaserver.ipa.domain@IPA.DOMAIN Older version of IPA should just show an unspecific error, while versions with the patch should show a policy error.
Verified in version ipa-server-4.1.0-13.el7.x86_64 sssd-ipa-1.12.2-39.el7.x86_64 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: trustdomain_cli_bz1172598: Policy error expected when access is rejected for disabled domain :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ BEGIN ] :: Running 'ipa trustdomain-disable adtest.qe pune.adtest.qe > /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out 2>&1' :: [ PASS ] :: Command 'ipa trustdomain-disable adtest.qe pune.adtest.qe > /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out 2>&1' (Expected 0, got 0) -------------------------------------- Disabled trust domain "pune.adtest.qe" -------------------------------------- :: [ BEGIN ] :: Running 'kdestroy -A' :: [ PASS ] :: Command 'kdestroy -A' (Expected 0, got 0) :: [ BEGIN ] :: Running 'echo Secret123 | kinit testu1@PUNE.ADTEST.QE' Password for testu1@PUNE.ADTEST.QE: :: [ PASS ] :: Command 'echo Secret123 | kinit testu1@PUNE.ADTEST.QE' (Expected 0, got 0) :: [ BEGIN ] :: Running 'kvno ldap/vm-idm-010.steeve2411.test@STEEVE2411.TEST > /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out 2>&1' :: [ PASS ] :: Command 'kvno ldap/vm-idm-010.steeve2411.test@STEEVE2411.TEST > /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out 2>&1' (Expected 1, got 1) :: [ BEGIN ] :: Running 'cat /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out' kvno: KDC policy rejects request while getting credentials for ldap/vm-idm-010.steeve2411.test@STEEVE2411.TEST :: [ PASS ] :: Command 'cat /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out' (Expected 0, got 0) :: [ PASS ] :: File '/tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out' should contain 'kvno: KDC policy rejects request while getting credentials for ldap/vm-idm-010.steeve2411.test@STEEVE2411.TEST' :: [ BEGIN ] :: Running 'kdestroy -A' :: [ PASS ] :: Command 'kdestroy -A' (Expected 0, got 0) :: [ BEGIN ] :: Running 'echo Secret123 | kinit admin' Password for admin@STEEVE2411.TEST: :: [ PASS ] :: Command 'echo Secret123 | kinit admin' (Expected 0, got 0) :: [ BEGIN ] :: Running 'ipa trustdomain-enable adtest.qe pune.adtest.qe > /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out 2>&1' :: [ PASS ] :: Command 'ipa trustdomain-enable adtest.qe pune.adtest.qe > /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out 2>&1' (Expected 0, got 0) :: [ BEGIN ] :: Running 'sleep 65' :: [ PASS ] :: Command 'sleep 65' (Expected 0, got 0)
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/373a04870d6ecc99145a6267c008702ed3e24171 ipa-4-1: https://fedorahosted.org/freeipa/changeset/6d6e924b1fe154812d66277f55c485f210e9c32d
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html