RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1202245 - SSSD's HBAC processing is not permissive enough with broken replication entries
Summary: SSSD's HBAC processing is not permissive enough with broken replication entries
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.2
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
: 1201977 (view as bug list)
Depends On: 1201974
Blocks: 1205796
TreeView+ depends on / blocked
 
Reported: 2015-03-16 08:26 UTC by Jakub Hrozek
Modified: 2020-05-02 17:58 UTC (History)
13 users (show)

Fixed In Version: sssd-1.13.0-0.1.alpha.el7
Doc Type: Bug Fix
Doc Text:
Cause: When IPA replication was having issues, replication conflict entries (using nsUniqueID as one value of multi-valued RDN) appeared in the directory. SSSD couldn't handle unexpected format of RDNs Consequence: If these replication conflict entries appeared during HBAC processing, the user was denied access. Fix: The replication conflict entries were skipped Result: Users are permitted access even if eplication conflict entries appeared during HBAC processing
Clone Of: 1201974
Environment:
Last Closed: 2015-11-19 11:36:25 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3644 0 None closed Make SSSD's HBAC validation more permissive if deny rules are not used 2020-08-18 00:03:12 UTC
Red Hat Product Errata RHSA-2015:2355 0 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2015-11-19 10:27:42 UTC

Comment 1 Jakub Hrozek 2015-03-16 08:31:08 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2603
Comment 3 Jakub Hrozek 2015-03-16 12:15:14 UTC 
*** Bug 1201977 has been marked as a duplicate of this bug. ***
Comment 4 Jakub Hrozek 2015-03-24 20:58:38 UTC 
Fixed upstream:
    master:
        6dff95bdfe437afc0b62b5270d0d84140981c786
        fdfe33975cd902bf7a334e49f2667f6346c4e6ae
        c41ae115bfa808d04e729dcbd759d8aae8387ce7
        64d8e2df816323a004bf6e7e9d05ba373b9e033d
        1243e093fd31c5660adf1bb3dd477d6935a755be 
    sssd-1-12:
        010c1c605cfcd2879a6f91ba61ea8db53aa4c5ae
        4df47543690a8b185d04ca6a0270e231e4491e6d
        a7c2e661a9bedd114941c9d5f33d20b70c18e878
        319f9710185929186778814b48f2227359d4f8f4
Comment 6 Abhijeet Kasurde 2015-10-07 10:25:50 UTC 
Verifying Sanity only

 +-----------------------------[RPMs & OS: [RedHat - x86_64]-----------------------------+
|       ipa-admintools-4.2.0-12.el7.x86_64
|       ipa-client-4.2.0-12.el7.x86_64
|       ipa-server-4.2.0-12.el7.x86_64
|       ipa-server-dns-4.2.0-12.el7.x86_64
|       ipa-tests-ipa-server-rhel72-ipa-hbac-func-ksiddiqu-20150813111707.b8ddea8-0.noarch
|       ipa-tests-ipa-server-rhel72-quickinstall-20150821100514-0.noarch
|       ipa-tests-ipa-server-rhel72-shared-20150930150523-0.noarch
|       sssd-ipa-1.13.0-36.el7.x86_64
------------------------------------------------------------------------------------------

 +-----------------------------------------------------------------------------------------+
     Test:[/ipa-server/rhel72/ipa-hbac-func/root]: [ Pass(51/51): 100% ] 
 +-----------------------------------------------------------------------------------------+
:: [   PASS   ]   ipa-hbacsvc-func: Setup of users
:: [   PASS   ]   MASTER tests start
:: [   PASS   ]   ipa-hbacsvc-001: user1 part of rule1 is allowed to access CLIENT from CLIENT - SSHD Service
:: [   PASS   ]   ipa-hbacsvc-002: user1 part of rule1 is allowed to access MASTER from CLIENT2 - FTP Service
:: [   PASS   ]   ipa-hbacsvc-002_1: vsftpd service removed from rule1 which was allowed to access MASTER from CLIENT2 - FTP Service
:: [   PASS   ]   ipa-hbacsvc-003: user3 part of rule3 with default ftp svcgrp is allowed to access MASTER from CLIENT2
:: [   PASS   ]   ipa-hbacsvc-004: user4 part of rule4 is allowed to access hostgroup from CLIENT
:: [   PASS   ]   ipa-hbacsvc-005: user5 part of rule5 is allowed to access CLIENT from hostgroup
:: [   PASS   ]   ipa-hbacsvc-005_1: user5 is removed from rule5
:: [   PASS   ]   ipa-hbacsvc-006: user6 part of rule6 is allowed to access hostgroup from hostgroup2
:: [   PASS   ]   ipa-hbacsvc-007: user7 part of rule7 is allowed to access hostgroup from hostgroup2 with hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-007_1: user7 is removed from rule7 which was allowed to access hostgroup from hostgroup2 with hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-008: user8 from grp8 part of rule8 is allowed to access CLIENT2 from CLIENT
:: [   PASS   ]   ipa-hbacsvc-008_1: grp8 removed from rule8 which was allowed to access CLIENT2 from CLIENT
:: [   PASS   ]   ipa-hbacsvc-009: user9 from grp9 part of rule9 is allowed to access CLIENT2 from CLIENT - hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-009_1: grp9 removed from rule9 which was allowed to access CLIENT2 from CLIENT - hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-010: user10 from grp10 part of rule10 is allowed to access hostgrp from CLIENT
:: [   PASS   ]   ipa-hbacsvc-011: user11 from grp11 part of rule11 is allowed to access CLIENT2 from hostgrp - hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-011_1: sshd service group removed from rule11 which was allowed to access CLIENT2 from hostgrp - hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-012: user12 from grp12 part of rule12 is allowed to access CLIENT2 from hostgrp - hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-013: user13 from grp13 part of rule13 is allowed to access hostgrp from hostgrp2
:: [   PASS   ]   ipa-hbacsvc-014: user14 from grp14 part of rule14 is allowed to access hostgrp from hostgrp2 - hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-015: user15 from nestgrp15 part of rule15 is allowed to access CLIENT from CLIENT2
:: [   PASS   ]   ipa-hbacsvc-015_1: user15 removed from rule15 which was allowed to access CLIENT from CLIENT2
:: [   PASS   ]   ipa-hbacsvc-016: user16 from nestgrp16 part of rule16 is allowed to access CLIENT from CLIENT2 - hbacsvcgroup
:: [   PASS   ]   ipa-hbacsvc-016_1: user16 removed from rule16 which was allowed to access CLIENT from CLIENT2 - hbacsvcgroup
:: [   PASS   ]   ipa-hbacsvc-017: user17 from nestgrp17 part of rule17 is allowed to access host from hostgrp2
:: [   PASS   ]   ipa-hbacsvc-018: user18 from nestgrp18 part of rule18 is allowed to access host from hostgrp2 - hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-019: user19 from nestgrp19 part of rule19 is allowed to access hostgrp from hostgrp2
:: [   PASS   ]   ipa-hbacsvc-020: user20 from nestgrp20 part of rule20 is allowed to access hostgrp from hostgrp2 - hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-020_1: hbac rule20 is removed.
:: [   PASS   ]   ipa-hbacsvc-021: user21 part of rule21 is allowed to access CLIENT from EXT_HOST
:: [   PASS   ]   ipa-hbacsvc-023: user23 part of group23 is allowed to access CLIENT2 from EXT_HOST2
:: [   PASS   ]   ipa-hbacsvc-025: user25 part of group25 is allowed to access CLIENT from EXT_HOST2
:: [   PASS   ]   ipa-hbacsvc-027: user27 part of rule27 is allowed to access CLIENT from CLIENT2 with empty hbacsvcgrp
:: [   PASS   ]   ipa-hbacsvc-028: user28 part of rule28 is allowed to access CLIENT from CLIENT2 with incorrect hbacsvc
:: [   PASS   ]   ipa-hbacsvc-029: user29 part of rule29 is allowed to access CLIENT from CLIENT2 with empty group
:: [   PASS   ]   ipa-hbacsvc-030: user30 part of rule30 is allowed to access CLIENT from CLIENT2 with empty netgroup
:: [   PASS   ]   ipa-hbacsvc-031: user31 part of UTF-8 is allowed to access CLIENT from CLIENT - SSHD Service
:: [   PASS   ]   ipa-hbacsvc-033: Offline client caching for enabled default HBAC rule
:: [   PASS   ]   ipa-hbacsvc-034: Offline client caching for disabled default HBAC rule
:: [   PASS   ]   ipa-hbacsvc-035: Offline client caching for custom HBAC rule
:: [   PASS   ]   ipa-hbacsvc-bugzila-001: bz736314 user736314 part of rule736314 is allowed to access MASTER from CLIENT
:: [   PASS   ]   ipa-hbacsvc-bugzilla-004: bz782927 Test sizelimit option to hbactest
:: [   PASS   ]   ipa-hbacsvc-bugzilla-005: bz772852 Unresolved rules in rules error message is displayed even if the hbacrule is specified using the rules option.
:: [   PASS   ]   ipa-hbacsvc-bugzilla-006: bz766876 RFE Make HBAC srchost processing optional - Case 1
:: [   PASS   ]   ipa-hbacsvc-bugzilla-009: bz766876 RFE Make HBAC srchost processing optional - Case 2
:: [   PASS   ]   ipa-hbacsvc-bugzilla-012: bz801769 - hbactest returns failure when hostgroups are chained
:: [   PASS   ]   ipa-hbacsvc-bugzilla-013: bz771706 sssd_be crashes during auth when there exists empty service group or hostgroup in an hbacrule.
:: [   PASS   ]   ipa-hbacrule-func-cleanup: Destroying admin credentials.
:: [   PASS   ]   /ipa-server/rhel72/ipa-hbac-func/root

 +----------------------------------------------------------------------+
                    Fail / unfinished / ABORT [ Fail(0/51): 0% ]
 +----------------------------------------------------------------------+



=========================== end of report [/tmp/tmp.cBa2qUEMkr/rhts.report.5316.txt]===============================
original rlJournalPrintText body saved as [/tmp/rhts.original.8536.txt]
Comment 7 errata-xmlrpc 2015-11-19 11:36:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html
Note You need to log in before you can comment on or make changes to this bug.