Bug 1242942 - well-known SID check is broken for NetBIOS prefixes
Summary: well-known SID check is broken for NetBIOS prefixes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Sumit Bose
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-07-14 13:04 UTC by Jakub Hrozek
Modified: 2020-05-02 18:07 UTC (History)
11 users (show)

Fixed In Version: sssd-1.13.0-5.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-19 11:39:22 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 3758 None None None 2020-05-02 18:07:12 UTC
Red Hat Product Errata RHSA-2015:2355 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2015-11-19 10:27:42 UTC

Description Jakub Hrozek 2015-07-14 13:04:43 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2717

When AD user or group is specified using flatname (ADX\Domain Admins instead of Domain Admins@adx.test), and name to SID translation is requested, a check for well-known SID uses wrong expression to parse specified name, considers it wrong and bails out.

As result, it breaks FreeIPA resolving names to SIDs in 'ipa group-add-member --external' command.

{{{
Python 2.7.10 (default, Jul  5 2015, 14:15:43) 
[GCC 5.1.1 20150618 (Red Hat 5.1.1-4)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pysss_nss_idmap
>>> pysss_nss_idmap.getsidbyname('ADX\\Domain Admins')
{}
>>> pysss_nss_idmap.getsidbyname("ADX\\Domain Admins")
{}
>>> pysss_nss_idmap.getsidbyname('ADX\Domain Admins')
{}
>>> pysss_nss_idmap.getsidbyname("ADX\Domain Admins")
{}
>>> 
}}}

If I specify an explicit 're_expression' that includes flatname prefix, things work:
{{{
# grep re_expression /etc/sssd/sssd.conf
re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))
# python
Python 2.7.10 (default, Jul  5 2015, 14:15:43) 
[GCC 5.1.1 20150618 (Red Hat 5.1.1-4)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pysss_nss_idmap
>>> pysss_nss_idmap.getsidbyname('ADX\Domain Admins')
{'ADX\\Domain Admins': {'type': 2, 'sid': u'S-1-5-21-3491614383-3036065072-3935721777-512'}}
>>> 
}}}

Comment 1 Jakub Hrozek 2015-07-16 13:31:57 UTC
* master: 4f1897ad419790834573643e88ac03e6c5c1c4be

Comment 3 Sudhir Menon 2015-09-15 14:42:44 UTC
Jakub,

Can you confirm if this is what is expected here with the fix?
Here are the observations on RHEL7.2

1. SID are returned for trusted AD groups

>>> import pysss_nss_idmap
>>> pysss_nss_idmap.getsidbyname('TEST\\Domain Admins')
{'TEST\\Domain Admins': {'type': 2, 'sid': u'S-1-5-21-742749997-2996825573-4184801258-512'}}
>>> pysss_nss_idmap.getsidbyname('TEST\Domain Admins')
{'TEST\\Domain Admins': {'type': 2, 'sid': u'S-1-5-21-742749997-2996825573-4184801258-512'}}
>>> pysss_nss_idmap.getsidbyname("TEST\Domain Admins")
{'TEST\\Domain Admins': {'type': 2, 'sid': u'S-1-5-21-742749997-2996825573-4184801258-512'}}
>>> pysss_nss_idmap.getsidbyname("TEST\\Domain Admins")
{'TEST\\Domain Admins': {'type': 2, 'sid': u'S-1-5-21-742749997-2996825573-4184801258-512'}}

2. SID are returned for trusted AD users.
>>> import pysss_nss_idmap
>>> pysss_nss_idmap.getsidbyname('TEST\\user1')
{'TEST\\user1': {'type': 3, 'sid': u'S-1-5-21-742749997-2996825573-4184801258-1118'}}
>>> pysss_nss_idmap.getsidbyname("TEST\\user1")
{'TEST\\user1': {'type': 3, 'sid': u'S-1-5-21-742749997-2996825573-4184801258-1118'}}
>>> pysss_nss_idmap.getsidbyname("TEST\user1")
{'TEST\\user1': {'type': 3, 'sid': u'S-1-5-21-742749997-2996825573-4184801258-1118'}}
>>> pysss_nss_idmap.getsidbyname('TEST\user1')
{'TEST\\user1': {'type': 3, 'sid': u'S-1-5-21-742749997-2996825573-4184801258-1118'}}

Comment 4 Jakub Hrozek 2015-09-16 07:27:34 UTC
Redirecting needinfo to bug owner, but the reproducer looks OK to me. I would just test more different groups and also make sure the FQDN format works as well.

Comment 5 Sumit Bose 2015-09-16 07:48:09 UTC
Yes, the reproducers are ok. If you do not have it in other test you might want to add lookups with 'Domain Admins@ad.domain' as well. Those are not related to the reported issue but would make the test complete in the sense that all allowed variants of a fully-qualified name are tested.

Comment 6 Jakub Hrozek 2015-09-16 08:23:23 UTC
btw why is the bug marked as FailedQA??

Comment 7 Sudhir Menon 2015-09-16 08:52:07 UTC
Sumit,

I have the below user/group in trust AD for which the SID is not returned.

>>> pysss_nss_idmap.getsidbyname('TEST\\user10')
{}
>>> pysss_nss_idmap.getsidbyname('TEST\\user101')
{}
>>> pysss_nss_idmap.getsidbyname("TEST\\test-group1")
{}
>>> pysss_nss_idmap.getsidbyname('TEST\\Domain Admins@test.in')
{}

Comment 8 Sudhir Menon 2015-09-16 09:20:35 UTC
Verified On: RHEL7.2
sssd-1.13.0-26.el7.x86_64
ipa-server-4.2.0-9.el7.x86_64

Obseravtions:
resolv.conf entries were incorrect after the system went on a reboot in the testing enviornment as a result of which the lookup failed.
Correcting them fixed the issue and returned the SID for groups and users.

>>> pysss_nss_idmap.getsidbyname('TEST\\user10')
{'TEST\\user10': {'type': 3, 'sid': u'S-1-5-21-742749997-2996825573-4184801258-1130'}}
>>> pysss_nss_idmap.getsidbyname('TEST\\user101')
{'TEST\\user101': {'type': 3, 'sid': u'S-1-5-21-742749997-2996825573-4184801258-1137'}}
>>> pysss_nss_idmap.getsidbyname('TEST\\Domain Controllers')
{'TEST\\Domain Controllers': {'type': 2, 'sid': u'S-1-5-21-742749997-2996825573-4184801258-516'}}
>>> pysss_nss_idmap.getsidbyname('TEST\\DNSAdmins')
{'TEST\\DNSAdmins': {'type': 2, 'sid': u'S-1-5-21-742749997-2996825573-4184801258-1101'}}
>>> pysss_nss_idmap.getsidbyname('TEST\\Domain Admins')
{'TEST\\Domain Admins': {'type': 2, 'sid': u'S-1-5-21-742749997-2996825573-4184801258-512'}}
>>> pysss_nss_idmap.getsidbyname('Domain Admins@test.in')
{'Domain Admins@test.in': {'type': 2, 'sid': u'S-1-5-21-742749997-2996825573-4184801258-512'}}

Comment 9 Jakub Hrozek 2015-09-16 09:47:58 UTC
Thanks for testing, can you also remove the failedQA keyword? IIRC this bug never failed testing..

Comment 10 errata-xmlrpc 2015-11-19 11:39:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html


Note You need to log in before you can comment on or make changes to this bug.