Description of problem:
The issue is that a hbac rule denies access to a system. This is because the user object in the sssd cache is missing the "originalMemberOf" attr which used by the hbac rule to decide if access is allowed or denied. The attribute must have been removed from the cache by some operation. It's unclear though which operation triggered the removal.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
sssd-1-13 version is being reviewed, but since the bug is fixed upstream, I'm moving the bug to POST.
And this bug has been added to the build a long time ago.
Master : RHEL 7.5
AD : Windows 2016
client : RHEL 6.9
IPA server installed on RHEL-7.5 and trust established using windows 2016
IPA client is installed on RHEL-6.9
Step 2 : On client
# id firstname.lastname@example.org
Step 3 : On IPA server
# ipa group-add --desc=0 hbacgroup_external --external
# ipa group-add-member hbacgroup_external --email@example.com' --users='' --groups=''
# ipa group-add --desc=0 hbacgroup
# ipa group-add-member hbacgroup --groups=hbacgroup_external
# ipa hbacrule-add hbacrule --hostcat=all --servicecat=all
# ipa hbacrule-add-user hbacrule --groups='hbacgroup'
# ipa hbacrule-disable allow_all
# ipa hbacrule-find --all hbacrule
Step 5 : On Client
# ldbsearch -H /var/lib/sss/db/cache_IPA-master.ldb
# ldbsearch -H /var/lib/sss/db/cache_tomupn14.test.ldb | grep 'originalMemberOf: cn=hbacgroup'
# id firstname.lastname@example.org | grep hbacgroup
Console logs are added in attachment.
Created attachment 1411684 [details]
Console logs for verification steps.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.