1369118 – Don't enable the default shadowtils domain in RHEL

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1369118 - Don't enable the default shadowtils domain in RHEL

Summary: Don't enable the default shadowtils domain in RHEL

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	SSSD Maintainers
QA Contact:	Steeve Goveas
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-08-22 13:58 UTC by Sudhir Menon
Modified:	2016-11-04 07:20 UTC (History)
CC List:	10 users (show)
Fixed In Version:	sssd-1.14.0-36.el7
Doc Type:	Bug Fix
Doc Text:	The proxy configuration has been removed from the SSSD default configuration file Previously, the System Security Services Daemon's (SSSD) `/usr/lib64/sssd/conf/sssd.conf` default configuration file used an auto-configured domain to proxy all requests to the "/etc/passwd" and "/etc/groups" files. This proxy configuration failed to integrate with other utilities like "realmd" or "ipa-client-install". To fix the incompatibilities, the [domain/shadowutils] proxy configuration has been removed and SSSD now works correctly.
Clone Of:
Environment:
Last Closed:	2016-11-04 07:20:46 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2016:2476	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2016-11-03 14:08:11 UTC

Description Sudhir Menon 2016-08-22 13:58:30 UTC

Description of problem: ipa-client-install add [domain/shadowutils] in sssd.conf file

Version-Release number of selected component (if applicable):
sssd-1.14.0-27.el7.x86_64


How reproducible: Always


Steps to Reproduce:
1. ipa-client-install
2. Check the /etc/sssd/sssd.conf file

Actual results:
There is [domain/shadowutils] section added apart from the actual IPA domain to which the client is connected.

[root@client ~]# cat /etc/sssd/sssd.conf

[domain/redlabs.qe]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = redlabs.qe
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client.redlabs.qe
chpass_provider = ipa
ipa_server = _srv_, replica.redlabs.qe
ldap_tls_cacert = /etc/ipa/ca.crt

[sssd]
config_file_version = 2
services = nss, sudo, pam, ssh
domains = shadowutils, redlabs.qe

[nss]

[pam]

[domain/shadowutils]
id_provider = proxy
proxy_lib_name = files
auth_provider = proxy
proxy_pam_target = sssd-shadowutils
proxy_fast_alias = True

[ssh]

[sudo]

Expected results: Not sure if we should have domain/shadowutils section apart from ipa domain section

Additional info:

Comment 1 Sudhir Menon 2016-08-22 14:53:01 UTC

Jakub,
Will this also take care of not creating timestamps_shadowutils.ldb file created in /var/lib/sss/db/ directory.

Comment 2 Jakub Hrozek 2016-08-22 14:56:59 UTC

The idea is not ship the shadowutils domain at all in RHEL, so, yes.

Comment 4 Sudhir Menon 2016-08-22 15:15:19 UTC

Yes we should be removing this as the fix for the issue.

Just wanted to share one observation.
sss was present in nsswitch.conf file against initgroups in ipa-client.
Only after commenting out the below in sssd.conf, found that the id command displayed the proper output i.e the one similar on ipa-server for trusted user.

This clearly indicates that the existence of the below section in sssd.conf file can corrupt the output of id command as well.

However i believe this is expected because there are two domain sections to be looked upon.

#[domain/shadowutils]
#id_provider = proxy
#proxy_lib_name = files
#
#auth_provider = proxy
#proxy_pam_target = sssd-shadowutils
#proxy_fast_alias = True

===id output on IPA server===
[root@ipaserver sssd]# id administrator
uid=558000500(administrator) gid=558000500(administrator) groups=558000500(administrator),558000520(group policy creator owners),558000512(domain admins),558000519(enterprise admins),558000518(schema admins),558000513(domain users)


===Before commenting the domain/shadowutils section===
[root@client sssd]# id administrator
uid=558000500(administrator) gid=558000500(administrator) groups=558000500(administrator)

===After commenting the domain/shadowutils section===
[root@client sssd]# id administrator
uid=558000500(administrator) gid=558000500(administrator) groups=558000500(administrator),558000520(group policy creator owners),558000512(domain admins),558000519(enterprise admins),558000518(schema admins),558000513(domain users)

Comment 6 Lukas Slebodnik 2016-08-25 13:04:09 UTC

(In reply to Sudhir Menon from comment #4)
> Yes we should be removing this as the fix for the issue.
> 
> Just wanted to share one observation.
> sss was present in nsswitch.conf file against initgroups in ipa-client.
> Only after commenting out the below in sssd.conf, found that the id command
> displayed the proper output i.e the one similar on ipa-server for trusted
> user.
> 
> This clearly indicates that the existence of the below section in sssd.conf
> file can corrupt the output of id command as well.
> 
> However i believe this is expected because there are two domain sections to
> be looked upon.
> 
> #[domain/shadowutils]
> #id_provider = proxy
> #proxy_lib_name = files
> #
> #auth_provider = proxy
> #proxy_pam_target = sssd-shadowutils
> #proxy_fast_alias = True
> 
> ===id output on IPA server===
> [root@ipaserver sssd]# id administrator
> uid=558000500(administrator) gid=558000500(administrator)
> groups=558000500(administrator),558000520(group policy creator
> owners),558000512(domain admins),558000519(enterprise
> admins),558000518(schema admins),558000513(domain users)
> 
> 
> ===Before commenting the domain/shadowutils section===
> [root@client sssd]# id administrator
> uid=558000500(administrator) gid=558000500(administrator)
> groups=558000500(administrator)
> 
> ===After commenting the domain/shadowutils section===
> [root@client sssd]# id administrator
> uid=558000500(administrator) gid=558000500(administrator)
> groups=558000500(administrator),558000520(group policy creator
> owners),558000512(domain admins),558000519(enterprise
> admins),558000518(schema admins),558000513(domain users)

The domain shadowutils should not cause such behaviour.
That sound to me like a bug in sssd that it cannot handle initgroups
properly in multi domain setup.

IMHO, you would get right results after following change in sssd.conf

-domains = shadowutils, redlabs.qe
+domains = redlabs.qe, shadowutils

Comment 7 Lukas Slebodnik 2016-08-25 14:02:56 UTC

Sudhir,
could you confirm ?

Comment 8 Jakub Hrozek 2016-09-05 10:17:39 UTC

(In reply to Sudhir Menon from comment #4)
> Yes we should be removing this as the fix for the issue.
> 
> Just wanted to share one observation.
> sss was present in nsswitch.conf file against initgroups in ipa-client.
> Only after commenting out the below in sssd.conf, found that the id command
> displayed the proper output i.e the one similar on ipa-server for trusted
> user.
> 
> This clearly indicates that the existence of the below section in sssd.conf
> file can corrupt the output of id command as well.

Hi,

I wanted to work on this bugzilla and I don't have a problem with removing this functionality in RHEL-7.3. But I can't reproduce the problem you mention where the presence of the additional domain changes the functionality.

Could you please set me up a system which reproduces the bug so I can take a look what the problem is exactly?

Thank you!

Comment 9 Sudhir Menon 2016-09-06 10:48:06 UTC

Lukas,
Tried what you have mentioned in comment 6, but unfortunately id command doesn't display same output on client.

Jakub,
Provided the system details on email.

Comment 10 Lukas Slebodnik 2016-09-06 16:26:23 UTC

BTW, this bug should not happen with SELinux in enforcing mode.
Because sssd would not be allowed to copy default configuration file /usr/lib64/sssd/conf/sssd.conf into /etc/sssd/sssd.conf

Comment 14 Lukas Slebodnik 2016-09-09 09:35:52 UTC

(In reply to Jakub Hrozek from comment #8)
> (In reply to Sudhir Menon from comment #4)
> > Yes we should be removing this as the fix for the issue.
> > 
> > Just wanted to share one observation.
> > sss was present in nsswitch.conf file against initgroups in ipa-client.
> > Only after commenting out the below in sssd.conf, found that the id command
> > displayed the proper output i.e the one similar on ipa-server for trusted
> > user.
> > 
> > This clearly indicates that the existence of the below section in sssd.conf
> > file can corrupt the output of id command as well.
> 
> Hi,
> 
> I wanted to work on this bugzilla and I don't have a problem with removing
> this functionality in RHEL-7.3. But I can't reproduce the problem you
> mention where the presence of the additional domain changes the
> functionality.
> 
> Could you please set me up a system which reproduces the bug so I can take a
> look what the problem is exactly?
> 
> Thank you!

Even though this feature was revered in downstream. I would still like to analyse it. Could you please set me up a system which reproduces the bug ?

Comment 15 Jakub Hrozek 2016-09-10 09:02:57 UTC

(In reply to Lukas Slebodnik from comment #14)
> Even though this feature was revered in downstream. I would still like to
> analyse it. Could you please set me up a system which reproduces the bug ?

Feel free to check again, but to me it looked like the problem was in the nsswitch.conf again:

15:32 < jhrozek> smenon: ping, I only restarted ipa on the server to pick up nsswitch.conf changes and now everything works even with the shadowutils domain. Can you please take a look again if I'm not overlooki
ng some change?
15:33 < smenon> jhrozek: sure
15:33 < jhrozek> smenon: I still think it makes sense to remove the shadowutils stuff from RHEL, but I just want to make sure I'm not missing another bug
15:33 < smenon> jhrozek: ok 
15:34 < smenon> jhrozek: looks good to me as ipa-client is giving correct output as server
15:35 < smenon> jhrozek: but the question remains why would someone restart ipa service for this to work ?
15:35 < smenon> jhrozek: this should be pickedup instantly like it was before without multidomain
15:45 < jhrozek> smenon: that's a different issue, I suspect it has again something to do with the nsswitch.conf authconfig bug
15:45 < jhrozek> smenon: because I wasn't seeing initgroups reaching SSSD from the IPA extdom plugin at all and nsswitch.conf is only read on application startup
15:46 < smenon> jhrozek: ok

Comment 16 Sudhir Menon 2016-09-14 13:34:40 UTC

Lukas,

The issue is no more relevant because multidomain is now removed from the sssd config file. 

Tested on RHEL7.3 using 

sssd-client-1.14.0-38.el7.x86_64
sssd-ipa-1.14.0-38.el7.x86_64
sssd-proxy-1.14.0-38.el7.x86_64
sssd-common-1.14.0-38.el7.x86_64
sssd-common-pac-1.14.0-38.el7.x86_64
sssd-ad-1.14.0-38.el7.x86_64
sssd-krb5-1.14.0-38.el7.x86_64
python-sssdconfig-1.14.0-38.el7.noarch
sssd-krb5-common-1.14.0-38.el7.x86_64
sssd-ldap-1.14.0-38.el7.x86_64
sssd-1.14.0-38.el7.x86_64

[root@client conf.d]# ipa-client-install 
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Client hostname: client.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: master.testrelm.test
BaseDN: dc=testrelm,dc=test

Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.TEST
    Issuer:      CN=Certificate Authority,O=TESTRELM.TEST
    Valid From:  Wed Sep 14 10:31:15 2016 UTC
    Valid Until: Sun Sep 14 10:31:15 2036 UTC

Enrolled in IPA realm TESTRELM.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.TEST
trying https://master.testrelm.test/ipa/json
Forwarding 'ping' to json server 'https://master.testrelm.test/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://master.testrelm.test/ipa/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring testrelm.test as NIS domain.
Client configuration complete.

[root@client conf.d]# cat /etc/sssd/sssd.conf 
[domain/testrelm.test]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = testrelm.test
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client.testrelm.test
chpass_provider = ipa
ipa_server = _srv_, master.testrelm.test
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh

domains = testrelm.test
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

Comment 20 errata-xmlrpc 2016-11-04 07:20:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html

Note You need to log in before you can comment on or make changes to this bug.