1489666 – Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces

Summary: Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.3
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	SSSD Maintainers
QA Contact:	Niranjan Mallapadi Raghavender
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-09-08 05:09 UTC by OHKAWA Yuichi
Modified:	2020-05-02 18:49 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 17:16:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
sssd_DOMAIN.log (167.68 KB, text/plain) 2017-09-12 08:02 UTC, OHKAWA Yuichi	no flags	Details
sssd_nss.log (65.55 KB, text/plain) 2017-09-12 08:03 UTC, OHKAWA Yuichi	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 4575	0	None	None	None	2020-05-02 18:49:33 UTC
Red Hat Product Errata	RHEA-2018:0929	0	None	None	None	2018-04-10 17:17:27 UTC

Description OHKAWA Yuichi 2017-09-08 05:09:30 UTC

Description of problem:
Combination sssd-ad and postfix (local_recipient_maps = proxy:unix:passwd.byname)
recieve incorrect mail address with asterisks or spaces. 

Version-Release number of selected component (if applicable):
1.14.0

How reproducible:

Steps to Reproduce:
1. Setup sssd-ad to connent AD server
   and to login AD account as local user.
2. Create User in AD. for example, user name "foo" and e-mail "foo".
2. Setup postfix to recieve mail to local user.
   In order to check address of local user, we setup
   /etc/postfix/main.cf:
   local_recipient_maps = proxy:unix:passwd.byname
   mydestination = example.com
3. Comfirm postfix to recieve "foo" as local recipient.
4. Send email "*foo" or "" foo" into postfix

Actual results:
Postfix recieve "*foo" or " foo"

Expected results:
Postfix respose "550 User unknown in local recipient table"

Additional info:

Comment 2 Sumit Bose 2017-09-08 07:20:02 UTC

Can you attach corresponding SSSD logs to this ticket? I think most important are the sssd_nss.log and the sssd_DOMAIN.log files with debug_level=10. Please see https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html for details.

Comment 3 OHKAWA Yuichi 2017-09-12 08:02:49 UTC

Created attachment 1324745 [details]
sssd_DOMAIN.log

Comment 4 OHKAWA Yuichi 2017-09-12 08:03:32 UTC

Created attachment 1324746 [details]
sssd_nss.log

log_level=10

Comment 5 Lukas Slebodnik 2017-09-12 10:13:45 UTC

(In reply to OHKAWA Yuichi from comment #4)
> Created attachment 1324746 [details]
> sssd_nss.log
> 
> log_level=10

sssd does not do any wildcard expansion in nss interface
Following output is simple grep with few comments
grep -E "nss_cmd_getbynam|nss_cmd_getpwnam_search" nss.log

>(Tue Sep 12 16:56:13 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [*foo].
>(Tue Sep 12 16:56:13 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [*foo] from [example.com]
>(Tue Sep 12 16:56:13 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [*foo]
>(Tue Sep 12 16:56:13 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [*foo]
>(Tue Sep 12 16:56:13 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
>(Tue Sep 12 16:56:13 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [*foo]
>(Tue Sep 12 16:56:13 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [*foo]
user "*foo" was not found in domain example.com
 
>(Tue Sep 12 16:56:29 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [ foo].
>(Tue Sep 12 16:56:29 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ foo] from [example.com]
>(Tue Sep 12 16:56:29 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ foo]
>(Tue Sep 12 16:56:29 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ foo]
>(Tue Sep 12 16:56:29 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
>(Tue Sep 12 16:56:29 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ foo]
>(Tue Sep 12 16:56:29 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [ foo]
user " foo" was not found in domain example.com
 
>(Tue Sep 12 16:56:51 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [f*@example.com].
>(Tue Sep 12 16:56:51 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [f*] from [example.com]
>(Tue Sep 12 16:56:51 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [f*@example.com]
>(Tue Sep 12 16:56:51 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [f*@example.com]
>(Tue Sep 12 16:56:51 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
>(Tue Sep 12 16:56:51 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [f*@example.com]
>(Tue Sep 12 16:56:51 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [f*@example.com]
user "f*" was not found in domain example.com

>(Tue Sep 12 16:57:07 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [foo].
>(Tue Sep 12 16:57:07 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [foo] from [example.com]
>(Tue Sep 12 16:57:07 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [foo]
>(Tue Sep 12 16:57:07 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [foo]
user "foo" was *FOUND* in domain example.com

>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [bar].
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [bar] from [example.com]
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [bar]
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [bar]
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [bar]
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [bar]
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [bar] does not exist in [example.com]! (negative cache)
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [bar], fail!
user "bar" was not found in domain example.com

>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [bar].
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [bar] from [<ALL>]
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [bar] does not exist in [example.com]! (negative cache)
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [bar], fail!
user "bar" was not found in any domain

>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [@example.com].
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0040): Invalid name received [@example.com]
user "" (empty user ???) was not found in domain example.com

>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [ foo].
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ foo] from [<ALL>]
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ foo]
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ foo]
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
user " foo" was not found in any domain

>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [*foo].
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [*foo] from [<ALL>]
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [*foo]
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [*foo]
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
user "*foo" was not found in any domain

>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [f*].
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [f*] from [<ALL>]
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [f*@example.com]
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [f*@example.com]
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
user "f*" was not found in any domain

Comment 6 Jakub Hrozek 2017-10-24 09:25:08 UTC

I'm sorry this bug did not receive any updates for such a long time. In the end this turned out to be a bug and the reason we didn't discuss it here publicly was that it even turned out to be a security issue - please see https://pagure.io/SSSD/sssd/issue/3549

The bug was fixed upstream in the meantime and will be released in the next 7.4 update. I will keep this bugzilla ticket open until the bugfix is released and then notify you so you can test it out.

Thank you for reporting the bug.

Comment 11 Jakub Hrozek 2017-11-01 16:20:54 UTC

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3549

Comment 12 Jakub Hrozek 2017-11-01 16:21:32 UTC

master: 1f2662c

Comment 14 OHKAWA Yuichi 2017-12-12 04:15:24 UTC

By sssd-1.15.2-50.el7_4.8, I confirmed that  the problem was fixed.
Thanks.

Comment 15 Sumit Bose 2017-12-12 07:20:27 UTC

(In reply to OHKAWA Yuichi from comment #14)
> By sssd-1.15.2-50.el7_4.8, I confirmed that  the problem was fixed.
> Thanks.

Thank you for the feedback.

Comment 16 Niranjan Mallapadi Raghavender 2018-01-18 07:56:50 UTC

Versions:
=========

sssd-ad-1.16.0-13.el7.x86_64
sssd-proxy-1.16.0-13.el7.x86_64
python-sssdconfig-1.16.0-13.el7.noarch
sssd-client-1.16.0-13.el7.x86_64
sssd-common-1.16.0-13.el7.x86_64
sssd-common-pac-1.16.0-13.el7.x86_64
sssd-ipa-1.16.0-13.el7.x86_64
sssd-krb5-1.16.0-13.el7.x86_64
sssd-1.16.0-13.el7.x86_64
sssd-krb5-common-1.16.0-13.el7.x86_64
sssd-ldap-1.16.0-13.el7.x86_64


Complete!

1. Join system to Active Directory using realmd

[root@ipaqavme ~]# realm join -v --membership-software=adcli JUNO.TEST
 * Resolving: _ldap._tcp.juno.test
 * Performing LDAP DSE lookup on: 10.65.223.136
 * Successfully discovered: juno.test
Password for Administrator:
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain juno.test --domain-realm JUNO.TEST --domain-controller 10.65.223.136 --login-type user --login-user Administrator --stdin-password
 * Using domain name: juno.test
 * Calculated computer account name from fqdn: IPAQAVME
 * Using domain realm: juno.test
 * Sending netlogon pings to domain controller: cldap://10.65.223.136
 * Received NetLogon info from: winsrv1.juno.test
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-tU9CCK/krb5.d/adcli-krb5-conf-ve2TYp
 * Authenticated as user: Administrator
 * Looked up short domain name: JUNO
 * Using fully qualified name: ipaqavme.idmqe.lab.eng.bos.redhat.com
 * Using domain name: juno.test
 * Using computer account name: IPAQAVME
 * Using domain realm: juno.test
 * Calculated computer account name from fqdn: IPAQAVME
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Computer account for IPAQAVME$ does not exist
 * Found well known computer container at: CN=Computers,DC=juno,DC=test
 * Calculated computer account: CN=IPAQAVME,CN=Computers,DC=juno,DC=test
 * Created computer account: CN=IPAQAVME,CN=Computers,DC=juno,DC=test
 * Sending netlogon pings to domain controller: cldap://10.65.223.136
 * Received NetLogon info from: winsrv1.juno.test
 * Set computer password
 * Retrieved kvno '2' for computer account in directory: CN=IPAQAVME,CN=Computers,DC=juno,DC=test
 * Modifying computer account: dNSHostName
 * Modifying computer account: userAccountControl
 * Modifying computer account: operatingSystem, operatingSystemVersion, operatingSystemServicePack
 * Modifying computer account: userPrincipalName
 * Discovered which keytab salt to use
 * Added the entries to the keytab: IPAQAVME$@JUNO.TEST: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/IPAQAVME: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/ipaqavme.idmqe.lab.eng.bos.redhat.com: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/IPAQAVME: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/ipaqavme.idmqe.lab.eng.bos.redhat.com: FILE:/etc/krb5.keytab
 * /usr/bin/systemctl enable sssd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service.
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
 * Successfully enrolled machine in realm

2. sssd configuration as below:

[sssd]
domains = juno.test
config_file_version = 2
services = nss, pam

[domain/juno.test]
ad_domain = juno.test
krb5_realm = JUNO.TEST
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

3. Create a user victim on Windows Active Directory

4. Login as victim user 

[root@ipaqavme ~]#  ssh victim\@JUNO.TEST@localhost
victim@localhost's password: 
[victim@ipaqavme ~]$ klist
Ticket cache: KEYRING:persistent:842005273:krb_ccache_zHthCLK
Default principal: victim

Valid starting       Expires              Service principal
01/17/2018 06:22:03  01/17/2018 16:22:03  krbtgt/JUNO.TEST
        renew until 01/24/2018 06:22:02

5. Verify using getent to check if user details can be fetched using *victim 

[root@ipaqavme ~]#  getent passwd '*victim'
[root@ipaqavme ~]# 


6. Configure postfix for mail server:


[root@ipaqavme ~]# cat /etc/postfix/main.cf | grep -v ^$ | grep -v ^#
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = ipaqavme.idmqe.lab.eng.bos.redhat.com
mydomain = JUNO.TEST
inet_interfaces = localhost
inet_protocols = all
mydestination = JUNO.TEST, juno.test, ipaqavme.idmqe.lab.eng.bos.redhat.com, idmqe.lab.eng.bos.redhat.com, $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
 
  
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES


7. Restart postfix and sssd

8. Send mail to *victim
$ echo "test message" | mail -vvv -s "Test Messages" *victim

9. Mail returned as user *victim doesn't exist 

Message  1:
From MAILER-DAEMON  Thu Jan 18 02:51:41 2018
Return-Path: <>
X-Original-To: root.test
Delivered-To: root.test
Date: Thu, 18 Jan 2018 02:51:39 -0500
From: Mail Delivery Subsystem <MAILER-DAEMON.test>
To: root.test
Content-Type: multipart/report; report-type=delivery-status;
        boundary="w0I7pbZm002548.1516261899/abc.juno.test"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
Status: R

Part 1:

The original message was received at Thu, 18 Jan 2018 02:51:37 -0500
from root@localhost

   ----- The following addresses had permanent fatal errors -----
*victim  
    (reason: 550 5.1.1 <*victim>: Recipient address rejected: User unknown in local recipient table)
    (expanded from: *victim)

   ----- Transcript of session follows -----
... while talking to [127.0.0.1]:
>>> DATA
<<< 550 5.1.1 <*victim>: Recipient address rejected: User unknown in local recipient table
550 5.1.1 *victim... User unknown
<<< 554 5.5.1 Error: no valid recipients

Comment 19 errata-xmlrpc 2018-04-10 17:16:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0929

Note You need to log in before you can comment on or make changes to this bug.