Bug 1324107 - GPO: Access denied after blocking connection to AD.
Summary: GPO: Access denied after blocking connection to AD.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.8
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Steeve Goveas
URL:
Whiteboard:
Depends On:
Blocks: 1365846
TreeView+ depends on / blocked
 
Reported: 2016-04-05 14:14 UTC by Dan Lavu
Modified: 2020-05-02 18:19 UTC (History)
7 users (show)

Fixed In Version: sssd-1.13.3-30.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-21 09:55:22 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4005 0 None closed GPO: Access denied after blocking connection to AD. 2020-05-02 18:19:26 UTC
Red Hat Product Errata RHBA-2017:0632 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2017-03-21 12:30:13 UTC

Description Dan Lavu 2016-04-05 14:14:55 UTC 
Description of problem:
When SSSD goes offline due to a network connectivity issue, the first login atempt fails and does not allow the user to login or su. Following attempts do work.

Upstream ticket: https://fedorahosted.org/sssd/ticket/2964

Version-Release number of selected component (if applicable):
1.13.3 


How reproducible:
Always.


Steps to Reproduce:
1. Setup SSSD and permit user to access host via GPO access.
2. Force SSSD to go offline using iptables and block the port. 

iptables -F

iptables -A INPUT -s $AD_SERVER1_IP -j DROP
iptables -A OUTPUT -d $AD_SERVER1_IP -j DROP

3. Attempt to login or su

** Or run downstrean QE tests ** 

Actual results:
User is not allowed to login.

Expected results:
User can login.


Additional info:
Comment 6 Jakub Hrozek 2016-04-05 19:59:40 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2964
Comment 8 Lukas Slebodnik 2016-04-12 13:17:54 UTC 
master:
* bdd533146cb2da71b7c39ad0efa2e5baca7257eb

sssd-1-13:
* 33973418462b75592122343e318045a6905c475b
Comment 11 Dan Lavu 2017-01-12 00:59:04 UTC 
Verified against sssd-client.x86_64 0:1.13.3-53.el6


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_gpo_007: ad gpo offline mode
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad.com.log' should contain 'offline' 
:: [  BEGIN   ] :: Running 'su_success 'allow_u-1666474' Secret123'
spawn su --shell /bin/sh nobody -- -c su --shell /bin/true -- "$1" -- allow_u-1666474
Password: :: [   PASS   ] :: Command 'su_success 'allow_u-1666474' Secret123' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'su_success 'allow_gu-1666474' Secret123'
spawn su --shell /bin/sh nobody -- -c su --shell /bin/true -- "$1" -- allow_gu-1666474
Password: :: [   PASS   ] :: Command 'su_success 'allow_gu-1666474' Secret123' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'su_fail 'regular_u-1666474' Secret123'
spawn su --shell /bin/sh nobody -- -c su --shell /bin/true -- "$1" -- regular_u-1666474
Password:
Comment 13 errata-xmlrpc 2017-03-21 09:55:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0632.html
Note You need to log in before you can comment on or make changes to this bug.