1335400 – In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1335400 - In IPA-AD trust environment access is granted to AD user even if the user is disabled on AD.

Summary: In IPA-AD trust environment access is granted to AD user even if the user is ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.7
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	SSSD Maintainers
QA Contact:	Steeve Goveas
Docs Contact:	Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On:
Blocks:	1342058
TreeView+	depends on / blocked

Reported:	2016-05-12 07:46 UTC by Thorsten Scherf
Modified:	2020-05-04 10:55 UTC (History)
CC List:	11 users (show)
Fixed In Version:	sssd-1.13.3-24.el6
Doc Type:	Bug Fix
Doc Text:	Users with expired or locked accounts now cannot log in to IdM clients with their SSH keys When a trusted Active Directory (AD) user with an expired or locked user account attempted to log in to an Identity Management (IdM) client using a non-password login method, such as SSH keys, the login was successful. With this update, the IdM client checks the AD lockout attribute when verifying whether an AD user is allowed to log in. As a result, AD users with expired or locked accounts are no longer permitted to log in in this situation. Note that this bug has no security impact: The AD user could not obtain a Kerberos ticket on the IdM client because the user account was expired or locked on the server side.
Clone Of:
Clones:	1342058 (view as bug list)
Environment:
Last Closed:	2017-03-21 09:56:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 3968	0	None	None	None	2020-05-04 10:55:10 UTC
Red Hat Product Errata	RHBA-2017:0632	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2017-03-21 12:30:13 UTC

Description Thorsten Scherf 2016-05-12 07:46:21 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2927

Ticket was cloned from Red Hat Bugzilla (product ''Red Hat Enterprise Linux 7''): [https://bugzilla.redhat.com/show_bug.cgi?id=1296902 Bug 1296902]

''Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.''

{{{
Description of problem:
In IPA-AD trust environment disabling the AD user, access is denied as expected
when the AD user logs in through SSH using password. However, access is still
granted when AD user logs in using SSH public keys.


Version-Release number of selected component (if applicable):
-


How reproducible:
Always.

Steps to Reproduce:
1] Configure trust between IPA and AD domain.
2] Generate ssh keys using ssh-keygen for AD user on client system and copy it
over.
3] Disable AD user on Active Directory.
4] AD user can login to the system using ssh key and below logs are getting
reported on the system during that time. For eg:

-----
-sh-4.1$ hostname
rhel6u7-2.gsslab.pnq2.redhat.com
-sh-4.1$ hostname
rhel6u7-2.gsslab.pnq2.redhat.com
-sh-4.1$ id
uid=1435801109(chinmay.redhat.com)
gid=1435801109(chinmay.redhat.com)
groups=1435801109(chinmay.redhat.com),1435800513(domain
users.redhat.com)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ ssh chinmay.redhat.com.pnq2.redhat.com
Last login: Thu Jan  7 12:40:25 2016 from rhel6u7-2.gsslab.pnq2.redhat.com
-sh-4.1$ hostname
rhel6u6-1.gsslab.pnq2.redhat.com
-sh-4.1$ pwd
/home/gsslab.rdu2.redhat.com/chinmay

Secure logs:

Jan  7 13:41:58 rhel6u6-1 sshd[2826]: Accepted publickey for
chinmay.redhat.com from 10.74.133.184 port 56718 ssh2
Jan  7 13:41:58 rhel6u6-1 sshd[2826]: pam_unix(sshd:session): session opened
for user chinmay.redhat.com by (uid=0)
-----

5] Access is getting denied as expected when using password.

-----
-sh-4.1$ hostname
rhel6u6-1.gsslab.pnq2.redhat.com
-sh-4.1$ pwd
/home/gsslab.rdu2.redhat.com/chinmay
-sh-4.1$ exit
logout
Connection to rhel6u6-1.gsslab.pnq2.redhat.com closed.
-sh-4.1$ hostname
rhel6u7-2.gsslab.pnq2.redhat.com
-sh-4.1$ id
uid=1435801109(chinmay.redhat.com)
gid=1435801109(chinmay.redhat.com)
groups=1435801109(chinmay.redhat.com),1435800513(domain
users.redhat.com)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ ssh chinmay.redhat.com.pnq2.redhat.com -o
PubkeyAuthentication=no
chinmay.redhat.com.pnq2.redhat.com's password:
Permission denied, please try again.


Secure logs:

Jan  7 13:45:50 rhel6u6-1 sshd[2857]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=rhel6u7-2.gsslab.pnq2.redhat.com  user=chinmay.redhat.com
Jan  7 13:45:50 rhel6u6-1 sshd[2857]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=rhel6u7-2.gsslab.pnq2.redhat.com user=chinmay.redhat.com
Jan  7 13:45:50 rhel6u6-1 sshd[2857]: pam_sss(sshd:auth): received for user
chinmay.redhat.com: 13 (User account has expired)
Jan  7 13:45:52 rhel6u6-1 sshd[2857]: Failed password for
chinmay.redhat.com from 10.74.133.184 port 56719 ssh2
-----

Actual results:
AD user is able to login on client systems using the SSH public keys even if
the user is disabled on AD.

Expected results:
Access should be denied for AD user as it is disabled.

Additional info:
I also configured two systems as an AD client using sssd and AD user is denied
as expected when the user is disabled on AD and login to the client system
using ssh public key as well as password. It seems ipa-client-install script
modifies the sshd configuration files and enables ssh public key authentication
on IPA client systems.
}}}

Comment 8 Sudhir Menon 2016-11-26 18:17:34 UTC

Disabled user on AD is no more allowed to login.
Fix is seen. Verified using RHEL7.3 IPA master and RHEL6.9 IPA client 

ipa-server-4.4.0-14.el7_3.x86_64
sssd-1.14.0-43.el7_3.9.x86_64

ipa-client-3.0.0-51.el6.x86_64
sssd-1.13.3-46.el6.x86_64

Steps:-

=====On IPA Master====

1. Created a view.
[root@master ~]# ipa idview-add view1.

2. Add user to the view.
[root@master ~]# ipa idoverrideuser-add view1 user2

3. Copied the contents of id_rsa.pub created as user2 localhost login to the view1 of which the user is part.
[root@master ~]#ipa idoverrideruser-mod view1 user2 --sshpubkey='ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEA3sKUVkWNSkfoQiI1zK3cf+0/2+rUemzoTTyI4uWj/XJjvg4ffZXv6pKilong6xpLSc6/J6s891GMeAOMthyqLXw7H+rH+sB4rHJXbOk6NgzMjWiBDieAJIGFkgwcINeBEABAJtpFNM997DSvyGMn0aktOnkLXXP29NsBsNC6ka9MQfbMqJUBXViyUHRcJV9+79roK1Z3TtG17sp2UBBJeA3iO9nf43KTyEORkS+eusuFS6ux35fdE+3Mhw1ikftFCjT6CQHox1GmlCBJFoCKOAnMp6J/AJy2N6KTN5t7jQ6zhiFQImSyNbcS7dsx4bY3cR27SsS4QbyFET3eyFkjjQ==
user2@client.testqe.test'

4. Applied the view for the client from where the login is done
#ipa idview-apply --hosts=client.testrelm.test

5. Verifying view details
[root@master .ssh]# kinit admin
Password for admin: 
[root@master .ssh]# ipa idoverrideuser-find view1
--------------------------
1 User ID override matched
--------------------------
  Anchor to override: user2
  User login: user2
  Home directory: /home/user2
  SSH public key: ssh-rsa                 AAAAB3NzaC1yc2EAAAABIwAAAQEA3sKUVkWNSkfoQiI1zK3cf+0/2+rUemzoTTyI4uWj/XJjvg4ffZXv6pKilong6xpLSc6/J6s891GMeAOMthyqLXw7H+rH+sB4rHJXbOk6NgzMjWiBDieAJIGFkgwcINeBEABAJtpFNM997DSvyGMn0aktOnkLXXP29NsBsNC6ka9MQfbMqJUBXViyUHRcJV9+79roK1Z3TtG17sp2UBBJeA3iO9nf43KTyEORkS+eusuFS6ux35fdE+3Mhw1ikftFCjT6CQHox1GmlCBJFoCKOAnMp6J/AJy2N6KTN5t7jQ6zhiFQImSyNbcS7dsx4bY3cR27SsS4QbyFET3eyFkjjQ==
user2@client.testqe.test
----------------------------
Number of entries returned 1
----------------------------

====On the IPA Client====

[root@client ~]# sss_ssh_authorizedkeys user2
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA3sKUVkWNSkfoQiI1zK3cf+0/2+rUemzoTTyI4uWj/XJjvg4ffZXv6pKilong6xpLSc6/J6s891GMeAOMthyqLXw7H+rH+sB4rHJXbOk6NgzMjWiBDieAJIGFkgwcINeBEABAJtpFNM997DSvyGMn0aktOnkLXXP29NsBsNC6ka9MQfbMqJUBXViyUHRcJV9+79roK1Z3TtG17sp2UBBJeA3iO9nf43KTyEORkS+eusuFS6ux35fdE+3Mhw1ikftFCjT6CQHox1GmlCBJFoCKOAnMp6J/AJy2N6KTN5t7jQ6zhiFQImSyNbcS7dsx4bY3cR27SsS4QbyFET3eyFkjjQ== user2@client.testqe.test

[root@client ~]# ssh -l user2 localhost 
user2@localhost's password: 

[root@client ~]# ssh-ketgen -t rsa
/home/user2/.ssh
-sh-4.1$ ls -l
total 12
-rw-------. 1 user2 user2 1675 Nov 25 19:56 id_rsa
-rw-r--r--. 1 user2 user2  413 Nov 25 19:56 id_rsa.pub

[root@client ~]# ssh  -l user2 localhost 
user2@localhost's password: 
Last login: Sat Nov 26 23:29:09 2016 from localhost
-sh-4.1$ ssh -l user2 master.testqe.test -o PubkeyAuthentication=yes
Last login: Sat Nov 26 23:29:16 2016 from 10.76.33.237

-sh-4.2$ id
uid=577602331(user2) gid=577602331(user2) groups=577602331(user2),577600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.2$ getent passwd user2
user2:*:577602331:577602331:user2:/home/pne.qe/user2:

After disabling the user2 on AD domain pne.qe

[root@client ~]# ssh  -l user2 localhost 
user2@localhost's password: 
Permission denied, please try again.
user2@localhost's password: 
Permission denied, please try again.
user2@localhost's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

Nov 25 19:37:33 master sshd[11694]: pam_sss(sshd:auth): received for user user2: 7 (Authentication failure)
Nov 25 19:37:33 master sshd[11686]: error: PAM: Authentication failure for user2 from dhcp200-237.lab.eng.pnq.redhat.com

Comment 12 errata-xmlrpc 2017-03-21 09:56:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0632.html

Note You need to log in before you can comment on or make changes to this bug.