Bug 1489666 – Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1489666 - Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces

Summary:	Combination sssd-ad and postfix recieve incorrect mail with asterisks or spaces

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd (Show other bugs)
Sub Component:
Version:	7.3
Hardware:	x86_64 Linux

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	SSSD Maintainers
QA Contact:	Niranjan Mallapadi Raghavender
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2017-09-08 01:09 EDT by OHKAWA Yuichi
Modified:	2018-05-29 04:44 EDT (History)
CC List:	11 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-04-10 13:16:19 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
sssd_DOMAIN.log (167.68 KB, text/plain) 2017-09-12 04:02 EDT, OHKAWA Yuichi	no flags	Details
sssd_nss.log (65.55 KB, text/plain) 2017-09-12 04:03 EDT, OHKAWA Yuichi	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2018:0929	None	None	None	2018-04-10 13:17 EDT

Groups: None (edit)

Description OHKAWA Yuichi 2017-09-08 01:09:30 EDT

Description of problem:
Combination sssd-ad and postfix (local_recipient_maps = proxy:unix:passwd.byname)
recieve incorrect mail address with asterisks or spaces. 

Version-Release number of selected component (if applicable):
1.14.0

How reproducible:

Steps to Reproduce:
1. Setup sssd-ad to connent AD server
   and to login AD account as local user.
2. Create User in AD. for example, user name "foo" and e-mail "foo@example.com".
2. Setup postfix to recieve mail to local user.
   In order to check address of local user, we setup
   /etc/postfix/main.cf:
   local_recipient_maps = proxy:unix:passwd.byname
   mydestination = example.com
3. Comfirm postfix to recieve "foo@example.com" as local recipient.
4. Send email "*foo@example.com" or "" foo@example.com" into postfix

Actual results:
Postfix recieve "*foo@example.com" or " foo@example.com"

Expected results:
Postfix respose "550 User unknown in local recipient table"

Additional info:

Comment 2 Sumit Bose 2017-09-08 03:20:02 EDT

Can you attach corresponding SSSD logs to this ticket? I think most important are the sssd_nss.log and the sssd_DOMAIN.log files with debug_level=10. Please see https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html for details.

Comment 3 OHKAWA Yuichi 2017-09-12 04:02 EDT

Created attachment 1324745 [details]
sssd_DOMAIN.log

Comment 4 OHKAWA Yuichi 2017-09-12 04:03 EDT

Created attachment 1324746 [details]
sssd_nss.log

log_level=10

Comment 5 Lukas Slebodnik 2017-09-12 06:13:45 EDT

(In reply to OHKAWA Yuichi from comment #4)
> Created attachment 1324746 [details]
> sssd_nss.log
> 
> log_level=10

sssd does not do any wildcard expansion in nss interface
Following output is simple grep with few comments
grep -E "nss_cmd_getbynam|nss_cmd_getpwnam_search" nss.log

>(Tue Sep 12 16:56:13 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [*foo@example.com].
>(Tue Sep 12 16:56:13 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [*foo] from [example.com]
>(Tue Sep 12 16:56:13 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [*foo@example.com]
>(Tue Sep 12 16:56:13 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [*foo@example.com]
>(Tue Sep 12 16:56:13 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
>(Tue Sep 12 16:56:13 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [*foo@example.com]
>(Tue Sep 12 16:56:13 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [*foo@example.com]
user "*foo" was not found in domain example.com
 
>(Tue Sep 12 16:56:29 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [ foo@example.com].
>(Tue Sep 12 16:56:29 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ foo] from [example.com]
>(Tue Sep 12 16:56:29 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ foo@example.com]
>(Tue Sep 12 16:56:29 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ foo@example.com]
>(Tue Sep 12 16:56:29 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
>(Tue Sep 12 16:56:29 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ foo@example.com]
>(Tue Sep 12 16:56:29 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [ foo@example.com]
user " foo" was not found in domain example.com
 
>(Tue Sep 12 16:56:51 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [f*@example.com].
>(Tue Sep 12 16:56:51 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [f*] from [example.com]
>(Tue Sep 12 16:56:51 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [f*@example.com]
>(Tue Sep 12 16:56:51 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [f*@example.com]
>(Tue Sep 12 16:56:51 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
>(Tue Sep 12 16:56:51 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [f*@example.com]
>(Tue Sep 12 16:56:51 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [f*@example.com]
user "f*" was not found in domain example.com

>(Tue Sep 12 16:57:07 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [foo@example.com].
>(Tue Sep 12 16:57:07 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [foo] from [example.com]
>(Tue Sep 12 16:57:07 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [foo@example.com]
>(Tue Sep 12 16:57:07 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [foo@example.com]
user "foo" was *FOUND* in domain example.com

>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [bar@example.com].
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [bar] from [example.com]
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [bar@example.com]
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [bar@example.com]
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [bar@example.com]
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [bar@example.com]
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [bar@example.com] does not exist in [example.com]! (negative cache)
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [bar@example.com], fail!
user "bar" was not found in domain example.com

>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [bar].
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [bar] from [<ALL>]
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [bar@example.com] does not exist in [example.com]! (negative cache)
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0080): No matching domain found for [bar], fail!
user "bar" was not found in any domain

>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [@example.com].
>(Tue Sep 12 16:57:17 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0040): Invalid name received [@example.com]
user "" (empty user ???) was not found in domain example.com

>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [ foo].
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [ foo] from [<ALL>]
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ foo@example.com]
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ foo@example.com]
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
user " foo" was not found in any domain

>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [*foo].
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [*foo] from [<ALL>]
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [*foo@example.com]
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [*foo@example.com]
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
user "*foo" was not found in any domain

>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [f*].
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [f*] from [<ALL>]
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [f*@example.com]
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [f*@example.com]
>(Tue Sep 12 16:57:36 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
user "f*" was not found in any domain

Comment 6 Jakub Hrozek 2017-10-24 05:25:08 EDT

I'm sorry this bug did not receive any updates for such a long time. In the end this turned out to be a bug and the reason we didn't discuss it here publicly was that it even turned out to be a security issue - please see https://pagure.io/SSSD/sssd/issue/3549

The bug was fixed upstream in the meantime and will be released in the next 7.4 update. I will keep this bugzilla ticket open until the bugfix is released and then notify you so you can test it out.

Thank you for reporting the bug.

Comment 11 Jakub Hrozek 2017-11-01 12:20:54 EDT

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3549

Comment 12 Jakub Hrozek 2017-11-01 12:21:32 EDT

master: 1f2662c

Comment 14 OHKAWA Yuichi 2017-12-11 23:15:24 EST

By sssd-1.15.2-50.el7_4.8, I confirmed that  the problem was fixed.
Thanks.

Comment 15 Sumit Bose 2017-12-12 02:20:27 EST

(In reply to OHKAWA Yuichi from comment #14)
> By sssd-1.15.2-50.el7_4.8, I confirmed that  the problem was fixed.
> Thanks.

Thank you for the feedback.

Comment 16 Niranjan Mallapadi Raghavender 2018-01-18 02:56:50 EST

Versions:
=========

sssd-ad-1.16.0-13.el7.x86_64
sssd-proxy-1.16.0-13.el7.x86_64
python-sssdconfig-1.16.0-13.el7.noarch
sssd-client-1.16.0-13.el7.x86_64
sssd-common-1.16.0-13.el7.x86_64
sssd-common-pac-1.16.0-13.el7.x86_64
sssd-ipa-1.16.0-13.el7.x86_64
sssd-krb5-1.16.0-13.el7.x86_64
sssd-1.16.0-13.el7.x86_64
sssd-krb5-common-1.16.0-13.el7.x86_64
sssd-ldap-1.16.0-13.el7.x86_64


Complete!

1. Join system to Active Directory using realmd

[root@ipaqavme ~]# realm join -v --membership-software=adcli JUNO.TEST
 * Resolving: _ldap._tcp.juno.test
 * Performing LDAP DSE lookup on: 10.65.223.136
 * Successfully discovered: juno.test
Password for Administrator:
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain juno.test --domain-realm JUNO.TEST --domain-controller 10.65.223.136 --login-type user --login-user Administrator --stdin-password
 * Using domain name: juno.test
 * Calculated computer account name from fqdn: IPAQAVME
 * Using domain realm: juno.test
 * Sending netlogon pings to domain controller: cldap://10.65.223.136
 * Received NetLogon info from: winsrv1.juno.test
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-tU9CCK/krb5.d/adcli-krb5-conf-ve2TYp
 * Authenticated as user: Administrator@JUNO.TEST
 * Looked up short domain name: JUNO
 * Using fully qualified name: ipaqavme.idmqe.lab.eng.bos.redhat.com
 * Using domain name: juno.test
 * Using computer account name: IPAQAVME
 * Using domain realm: juno.test
 * Calculated computer account name from fqdn: IPAQAVME
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Computer account for IPAQAVME$ does not exist
 * Found well known computer container at: CN=Computers,DC=juno,DC=test
 * Calculated computer account: CN=IPAQAVME,CN=Computers,DC=juno,DC=test
 * Created computer account: CN=IPAQAVME,CN=Computers,DC=juno,DC=test
 * Sending netlogon pings to domain controller: cldap://10.65.223.136
 * Received NetLogon info from: winsrv1.juno.test
 * Set computer password
 * Retrieved kvno '2' for computer account in directory: CN=IPAQAVME,CN=Computers,DC=juno,DC=test
 * Modifying computer account: dNSHostName
 * Modifying computer account: userAccountControl
 * Modifying computer account: operatingSystem, operatingSystemVersion, operatingSystemServicePack
 * Modifying computer account: userPrincipalName
 * Discovered which keytab salt to use
 * Added the entries to the keytab: IPAQAVME$@JUNO.TEST: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/IPAQAVME@JUNO.TEST: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/ipaqavme.idmqe.lab.eng.bos.redhat.com@JUNO.TEST: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/IPAQAVME@JUNO.TEST: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/ipaqavme.idmqe.lab.eng.bos.redhat.com@JUNO.TEST: FILE:/etc/krb5.keytab
 * /usr/bin/systemctl enable sssd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service.
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
 * Successfully enrolled machine in realm

2. sssd configuration as below:

[sssd]
domains = juno.test
config_file_version = 2
services = nss, pam

[domain/juno.test]
ad_domain = juno.test
krb5_realm = JUNO.TEST
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

3. Create a user victim on Windows Active Directory

4. Login as victim user 

[root@ipaqavme ~]#  ssh victim\@JUNO.TEST@localhost
victim@JUNO.TEST@localhost's password: 
[victim@juno.test@ipaqavme ~]$ klist
Ticket cache: KEYRING:persistent:842005273:krb_ccache_zHthCLK
Default principal: victim@JUNO.TEST

Valid starting       Expires              Service principal
01/17/2018 06:22:03  01/17/2018 16:22:03  krbtgt/JUNO.TEST@JUNO.TEST
        renew until 01/24/2018 06:22:02

5. Verify using getent to check if user details can be fetched using *victim 

[root@ipaqavme ~]#  getent passwd '*victim@JUNO.TEST'
[root@ipaqavme ~]# 


6. Configure postfix for mail server:


[root@ipaqavme ~]# cat /etc/postfix/main.cf | grep -v ^$ | grep -v ^#
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = ipaqavme.idmqe.lab.eng.bos.redhat.com
mydomain = JUNO.TEST
inet_interfaces = localhost
inet_protocols = all
mydestination = JUNO.TEST, juno.test, ipaqavme.idmqe.lab.eng.bos.redhat.com, idmqe.lab.eng.bos.redhat.com, $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
 
  
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES


7. Restart postfix and sssd

8. Send mail to *victim@juno.test
$ echo "test message" | mail -vvv -s "Test Messages" *victim@juno.test

9. Mail returned as user *victim doesn't exist 

Message  1:
From MAILER-DAEMON  Thu Jan 18 02:51:41 2018
Return-Path: <>
X-Original-To: root@abc.juno.test
Delivered-To: root@abc.juno.test
Date: Thu, 18 Jan 2018 02:51:39 -0500
From: Mail Delivery Subsystem <MAILER-DAEMON@abc.juno.test>
To: root@abc.juno.test
Content-Type: multipart/report; report-type=delivery-status;
        boundary="w0I7pbZm002548.1516261899/abc.juno.test"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
Status: R

Part 1:

The original message was received at Thu, 18 Jan 2018 02:51:37 -0500
from root@localhost

   ----- The following addresses had permanent fatal errors -----
*victim@juno.test  
    (reason: 550 5.1.1 <*victim@juno.test>: Recipient address rejected: User unknown in local recipient table)
    (expanded from: *victim@juno.test)

   ----- Transcript of session follows -----
... while talking to [127.0.0.1]:
>>> DATA
<<< 550 5.1.1 <*victim@juno.test>: Recipient address rejected: User unknown in local recipient table
550 5.1.1 *victim@juno.test... User unknown
<<< 554 5.5.1 Error: no valid recipients

Comment 19 errata-xmlrpc 2018-04-10 13:16:19 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0929

Note You need to log in before you can comment on or make changes to this bug.