Bug 1473005 - The originalMemberOf attribute disappears from the cache, causing intermittent HBAC issues
The originalMemberOf attribute disappears from the cache, causing intermitten...
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
All Linux
high Severity medium
: rc
: ---
Assigned To: SSSD Maintainers
Varun Mylaraiah
: ZStream
Depends On: 1438360
  Show dependency treegraph
Reported: 2017-07-19 16:10 EDT by Oneata Mircea Teodor
Modified: 2017-08-22 13:30 EDT (History)
15 users (show)

See Also:
Fixed In Version: sssd-1.13.3-57.el6_9
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1438360
Last Closed: 2017-08-22 13:30:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Oneata Mircea Teodor 2017-07-19 16:10:51 EDT
This bug has been copied from bug #1438360 and has been proposed to be backported to 6.9 z-stream (EUS).
Comment 7 Varun Mylaraiah 2017-08-09 06:36:23 EDT

Now the group is listed in the "originalMemberOf" attr

# id aduser1@ipaad2012r2.test
uid=346211915(aduser1@ipaad2012r2.test) gid=346211915(aduser1@ipaad2012r2.test) groups=346211915(aduser1@ipaad2012r2.test),346201110(adunigroup1@ipaad2012r2.test),346201108(adgroup1@ipaad2012r2.test),346201109(adgroup2@ipaad2012r2.test),729800010(hbacgroup),346200513(domain users@ipaad2012r2.test)

#  ldbsearch -H /var/lib/sss/db/cache_ssh080817.test.ldb 
asq: Unable to register control with rootdse!
# record 1
dn: name=aduser1@ipaad2012r2.test,cn=users,cn=ipaad2012r2.test,cn=sysdb
createTimestamp: 1502268960
fullName: aduser1 ads
gecos: aduser1 ads
gidNumber: 346211915
homeDirectory: /home/ipaad2012r2.test/aduser1
name: aduser1@ipaad2012r2.test
objectClass: user
uidNumber: 346211915
objectSIDString: S-1-5-21-547465014-1205121312-3291251547-11915
userPrincipalName: aduser1@IPAAD2012R2.TEST
adUserAccountControl: 512
originalDN: CN=aduser1 ads,CN=Users,DC=ipaad2012r2,DC=test
nameAlias: aduser1@ipaad2012r2.test
adAccountExpires: 9223372036854775807
originalMemberOf: CN=adunigroup1,CN=Users,DC=ipaad2012r2,DC=test
originalMemberOf: CN=adgroup2,CN=Users,DC=ipaad2012r2,DC=test
originalMemberOf: CN=adgroup1,CN=Users,DC=ipaad2012r2,DC=test
originalMemberOf: cn=hbacgroup,cn=groups,cn=accounts,dc=ssh080817,dc=test
memberof: name=adunigroup1@ipaad2012r2.test,cn=groups,cn=ipaad2012r2.test,cn=s
memberof: name=adgroup1@ipaad2012r2.test,cn=groups,cn=ipaad2012r2.test,cn=sysd
memberof: name=adgroup2@ipaad2012r2.test,cn=groups,cn=ipaad2012r2.test,cn=sysd
memberof: name=hbacgroup,cn=groups,cn=ssh080817.test,cn=sysdb
memberof: name=domain users@ipaad2012r2.test,cn=groups,cn=ipaad2012r2.test,cn=
initgrExpireTimestamp: 1502274375
lastUpdate: 1502268975
dataExpireTimestamp: 1502274375
distinguishedName: name=aduser1@ipaad2012r2.test,cn=users,cn=ipaad2012r2.test,

Additional info:
On Server side

Created an external IPA group

# ipa group-add --desc=0 hbacgroup_external --external
Added group "hbacgroup_external"
  Group name: hbacgroup_external
  Description: 0

Added an AD group into IPA group

#ipa group-add-member hbacgroup_external --external='adgroup1@ipaad2012r2.test' --users='' --groups=''
  Group name: hbacgroup_external
  Description: 0
  External member: S-1-5-21-547465014-1205121312-3291251547-11915, S-1-5-21-547465014-1205121312-3291251547-1108
  Member of groups: hbacgroup
Number of members added 1

Then add the external IPA group into an IPA POSIX group

# ipa group-add --desc=0 hbacgroup
Added group "hbacgroup"
  Group name: hbacgroup
  Description: 0
  GID: 729800010

# ipa group-add-member hbacgroup --groups=hbacgroup_external
  Group name: hbacgroup
  Description: 0
  GID: 729800010
  Member groups: hbacgroup_external
Number of members added 1

Referencing the IPA POSIX group in an HBAC rule

# ipa hbacrule-add hbacrule --hostcat=all --servicecat=all
Added HBAC rule "hbacrule"
  Rule name: hbacrule
  Host category: all
  Service category: all
  Enabled: TRUE

# ipa hbacrule-add-user hbacrule --groups='hbacgroup'
  Rule name: hbacrule
  Host category: all
  Service category: all
  Enabled: TRUE
  User Groups: hbacgroup
Number of members added 1
Then disable allow_all.

# ipa hbacrule-disable allow_all
Disabled HBAC rule "allow_all"

# ipa hbacrule-find --all hbacrule
1 HBAC rule matched
  dn: ipaUniqueID=48e182bc-7ce0-11e7-836e-5254001e863c,cn=hbac,dc=ssh080817,dc=test
  Rule name: hbacrule
  Host category: all
  Service category: all
  Enabled: TRUE
  User Groups: hbacgroup
  accessruletype: allow
  ipauniqueid: 48e182bc-7ce0-11e7-836e-5254001e863c
  objectclass: ipaassociation, ipahbacrule
Number of entries returned 1
Comment 8 Varun Mylaraiah 2017-08-09 06:39:34 EDT
ipa server version used
Comment 10 errata-xmlrpc 2017-08-22 13:30:09 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.