Red Hat Bugzilla – Bug 1438360
The originalMemberOf attribute disappears from the cache, causing intermittent HBAC issues
Last modified: 2018-06-19 01:15:04 EDT
Description of problem: The issue is that a hbac rule denies access to a system. This is because the user object in the sssd cache is missing the "originalMemberOf" attr which used by the hbac rule to decide if access is allowed or denied. The attribute must have been removed from the cache by some operation. It's unclear though which operation triggered the removal. Version-Release number of selected component (if applicable): sssd-1.13.3-22.el6_8.4.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3382
master: c92e49144978ad3b6c9fffa8803ebdad8f6f5b18 sssd-1-14: e1dafa7acf28e3e34b15def05ab5f065fdee10e8 sssd-1-13 version is being reviewed, but since the bug is fixed upstream, I'm moving the bug to POST.
sssd-1-13: *88f6d8a And this bug has been added to the build a long time ago.
Verified Using: ipa-client-3.0.0-51.el6.x86_64 sssd-1.13.3-58.el6_9.x86_64 Setup: Master : RHEL 7.5 AD : Windows 2016 client : RHEL 6.9 Step 1: --------------------- IPA server installed on RHEL-7.5 and trust established using windows 2016 IPA client is installed on RHEL-6.9 Step 2 : On client --------------------- # id aduser1@ipaad2016.test Step 3 : On IPA server --------------------- # ipa group-add --desc=0 hbacgroup_external --external # ipa group-add-member hbacgroup_external --external='adgroup1@ipaad2016.test' --users='' --groups='' # ipa group-add --desc=0 hbacgroup # ipa group-add-member hbacgroup --groups=hbacgroup_external # ipa hbacrule-add hbacrule --hostcat=all --servicecat=all # ipa hbacrule-add-user hbacrule --groups='hbacgroup' # ipa hbacrule-disable allow_all # ipa hbacrule-find --all hbacrule Step 5 : On Client ------------------- # ldbsearch -H /var/lib/sss/db/cache_IPA-master.ldb # ldbsearch -H /var/lib/sss/db/cache_tomupn14.test.ldb | grep 'originalMemberOf: cn=hbacgroup' # id aduser1@ipaad2016.test | grep hbacgroup Console logs are added in attachment.
Created attachment 1411684 [details] Console log Console logs for verification steps.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:1877