Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/2560 The attribute is used during HBAC checks. Normally it should be populated when the PAC responder is in use, but due to bugs like #2559 it might not be..
A patch is accepted upstream and was confirmed to fix the problem by both development and the user who initially reported the problem with 7.1 Beta packages.
To verify, create an HBAC rule that allows an IPA group. Add an AD group as a member of this IPA group. Add an AD user as a member of the AD group. Verify that "id username" for the AD user shows the complete group membership, including the IPA group. Log in as the AD user. Before the patch, the user would be denied access and sssd_be would log an error DEBUG message saying "No groups for user". The patched packages should allow the user to log in as appropriate.
master: 7543052f562f157f7b17fdc46a6777d80c0cb3bd a4d64002b5ca763622bde240d27797d361ba0388 5f4d896ec8e06476f4282b562b1044de14c48ecf sssd-1-12: dcc99fc87bc7ec44fdc8ec897218384cc274d4dd 2eb78055d7a344c0ef58adbaa84dac86df13174e 70ec6df14be2ddc26147095e260b4f9c7e606a6b
Additional patch landed in -45
Additional fixes landed in the latest build.
Verified. Version :: sssd-1.12.2-52.el7.x86_64 Results :: [root@vm7 sssd]# ipa group-add --desc=0 hbacgroup2 ------------------------ Added group "hbacgroup2" ------------------------ Group name: hbacgroup2 Description: 0 GID: 1436400005 [root@vm7 sssd]# ipa group-add --desc=0 hbacgroup2_external --external --------------------------------- Added group "hbacgroup2_external" --------------------------------- Group name: hbacgroup2_external Description: 0 [root@vm7 sssd]# ipa group-add-member hbacgroup2 --groups=hbacgroup2_external Group name: hbacgroup2 Description: 0 GID: 1436400005 Member groups: hbacgroup2_external ------------------------- Number of members added 1 ------------------------- [root@vm7 sssd]# ipa group-add-member hbacgroup2_external --external=mygroup2.com --users='' --groups='' Group name: hbacgroup2_external Description: 0 External member: S-1-5-21-663451879-2037396169-3163888224-1125 Member of groups: hbacgroup2 ------------------------- Number of members added 1 ------------------------- [root@vm7 sssd]# ipa hbacrule-add-user hbactest --groups=hbacgroup2 Rule name: hbactest Host category: all Service category: all Enabled: TRUE User Groups: hbacgroup, hbacgroup2 ------------------------- Number of members added 1 ------------------------- [root@vm7 sssd]# ipa hbacrule-disable allow_all ------------------------------ Disabled HBAC rule "allow_all" ------------------------------ [root@vm7 sssd]# id 'ADROOT1\myuser2' uid=1108801126(myuser2.com) gid=1108801126(myuser2.com) groups=1108801126(myuser2.com),1108800513(domain users.com),1108801125(mygroup2.com),1436400005(hbacgroup2) [root@vm7 sssd]# ssh -l 'ADROOT1\myuser2' $(hostname) ADROOT1\myuser2.example.test's password: Creating home directory for ADROOT1\myuser2. -sh-4.2$ id uid=1108801126(myuser2.com) gid=1108801126(myuser2.com) groups=1108801126(myuser2.com),1108800513(domain users.com),1108801125(mygroup2.com),1436400005(hbacgroup2) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [root@vm7 sssd]# cd /var/log/sssd [root@vm7 sssd]# grep "no groups" * [root@vm7 sssd]# grep "no groups" /var/log/messages [root@vm7 sssd]# grep "no groups" /var/log/secure [root@vm7 sssd]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0441.html