RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1172598 - Access is not rejected for disabled domain
Summary: Access is not rejected for disabled domain
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.1
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On: 1170300
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-10 12:54 UTC by Martin Kosek
Modified: 2015-09-23 15:27 UTC (History)
15 users (show)

Fixed In Version: ipa-4.1.0-13.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1170300
Environment:
Last Closed: 2015-03-05 10:18:55 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0442 0 normal SHIPPED_LIVE Moderate: ipa security, bug fix, and enhancement update 2015-03-05 14:50:39 UTC

Description Martin Kosek 2014-12-10 12:54:29 UTC 
+++ This bug was initially created as a clone of Bug #1170300 +++

Description of problem:
This is a regression of bz1070924

Version-Release number of selected component (if applicable):
ipa-server-4.1.0-10.el7.x86_64

How reproducible:


Steps to Reproduce:
1. Setup trust with AD having a child domain
2. Disable child domain trust
3. ssh as user from child AD domain

Actual results:

[root@vm-idm-032 ~]# ssh -l "aduser1.qe" $(hostname) "echo 'login successful'"
aduser1.qe.test's password: 
login successful

[root@vm-idm-032 ~]# ipa trustdomain-disable adtest.qe pune.adtest.qe
--------------------------------------
Disabled trust domain "pune.adtest.qe"
--------------------------------------

[root@vm-idm-032 ~]# ipa trustdomain-find  adtest.qe
  Domain name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  Domain enabled: True

  Domain name: pune.adtest.qe
  Domain NetBIOS name: PUNE
  Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
  Domain enabled: False
----------------------------
Number of entries returned 2
----------------------------

[root@vm-idm-032 ~]#  ipa trust-show adtest.qe --all | grep S-1-5-21-91314187-2404433721-1858927112
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-21-91314187-2404433721-1858927112, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18

[root@vm-idm-032 ~]# sleep 90 ; ssh -l "aduser1.qe" $(hostname) "echo 'login successful'"
aduser1.qe.test's password: 
login successful

[root@vm-idm-032 ~]# sleep 30 ; ssh -l "aduser1.qe" $(hostname) "echo 'login successful'"
aduser1.qe.test's password: 
login successful

Expected results:
Access should be rejected for AD user from disabled domain

Additional info:

...

--- Additional comment from Petr Vobornik on 2014-12-04 03:51:42 EST ---

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4788
Comment 1 Martin Kosek 2014-12-10 12:55:33 UTC 
This Bugzilla is to provide better error code in this scenario (and return POLICY error to be precise)
Comment 4 Sumit Bose 2015-01-07 10:09:41 UTC 
How to test:
- disable a domain from a trusted forest
- call kinit with a principal of a user from the disabled domain (this will work because kinit will talk to the DC of the domain directly)
- try to get a Kerberos service ticket for an IPA server, e.g.
      kvno ldap/ipaserver.ipa.domain
  Older version of IPA should just show an unspecific error, while versions with the patch should show a policy error.
Comment 5 Steeve Goveas 2015-01-08 05:04:23 UTC 
Verified in version
ipa-server-4.1.0-13.el7.x86_64
sssd-ipa-1.12.2-39.el7.x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: trustdomain_cli_bz1172598: Policy error expected when access is rejected for disabled domain
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [  BEGIN   ] :: Running 'ipa trustdomain-disable adtest.qe pune.adtest.qe > /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out 2>&1'
:: [   PASS   ] :: Command 'ipa trustdomain-disable adtest.qe pune.adtest.qe > /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out 2>&1' (Expected 0, got 0)
--------------------------------------
Disabled trust domain "pune.adtest.qe"
--------------------------------------
:: [  BEGIN   ] :: Running 'kdestroy -A'
:: [   PASS   ] :: Command 'kdestroy -A' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'echo Secret123 | kinit testu1.QE'
Password for testu1.QE: 
:: [   PASS   ] :: Command 'echo Secret123 | kinit testu1.QE' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'kvno ldap/vm-idm-010.steeve2411.test > /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out 2>&1'
:: [   PASS   ] :: Command 'kvno ldap/vm-idm-010.steeve2411.test > /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out 2>&1' (Expected 1, got 1)
:: [  BEGIN   ] :: Running 'cat /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out'
kvno: KDC policy rejects request while getting credentials for ldap/vm-idm-010.steeve2411.test
:: [   PASS   ] :: Command 'cat /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out' (Expected 0, got 0)
:: [   PASS   ] :: File '/tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out' should contain 'kvno: KDC policy rejects request while getting credentials for ldap/vm-idm-010.steeve2411.test' 
:: [  BEGIN   ] :: Running 'kdestroy -A'
:: [   PASS   ] :: Command 'kdestroy -A' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'echo Secret123 | kinit admin'
Password for admin: 
:: [   PASS   ] :: Command 'echo Secret123 | kinit admin' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa trustdomain-enable adtest.qe pune.adtest.qe > /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out 2>&1'
:: [   PASS   ] :: Command 'ipa trustdomain-enable adtest.qe pune.adtest.qe > /tmp/tmp.9Bf6w4t88R/tmpout.trustdomain_cli_bz1172598.out 2>&1' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'sleep 65'
:: [   PASS   ] :: Command 'sleep 65' (Expected 0, got 0)
Comment 6 Martin Kosek 2015-02-16 15:32:01 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/373a04870d6ecc99145a6267c008702ed3e24171
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/6d6e924b1fe154812d66277f55c485f210e9c32d
Comment 8 errata-xmlrpc 2015-03-05 10:18:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html
Note You need to log in before you can comment on or make changes to this bug.