1598457 – Attributes not present in Global Catalog can be removed from the cache during GC lookups

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1598457 - Attributes not present in Global Catalog can be removed from the cache during GC lookups

Summary: Attributes not present in Global Catalog can be removed from the cache during...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	8.0
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	pre-dev-freeze
Target Release:	8.1
Assignee:	Sumit Bose
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1666042 (view as bug list)
Depends On:	1682305
Blocks:
TreeView+	depends on / blocked

Reported:	2018-07-05 14:22 UTC by josip.domsic+bugzilla
Modified:	2023-05-09 14:11 UTC (History)
CC List:	18 users (show)
Fixed In Version:	sssd-2.1.0-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-11-05 22:33:53 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Failed ssh with public-key from AD (after initial success) (4.99 KB, text/plain) 2018-07-10 12:41 UTC, josip.domsic+bugzilla	no flags	Details
Successful log to ssh server via AD public-key (9.97 KB, text/plain) 2018-07-10 12:41 UTC, josip.domsic+bugzilla	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 3516	None	closed	AD: do not override existing home-dir or shell if they are not available in the global catalog	2020-09-04 15:11:28 UTC
Github	SSSD sssd issues 4564	None	closed	RFE: Use the global catalog only to look up the entry DN	2020-09-04 15:11:30 UTC
Red Hat Issue Tracker	RHELPLAN-14654	None	None	None	2023-05-09 14:11:37 UTC
Red Hat Product Errata	RHSA-2019:3651	None	None	None	2019-11-05 22:34:08 UTC

Description josip.domsic+bugzilla 2018-07-05 14:22:30 UTC

Description of problem:
The command sss_ssh_authorizedkeys username 
returns no output even though LDAP (AD) search does.

ldapsearch  -H "ldaps://active-directory"  -D "admin"  -w 'password'  -b "DC=domain,DC=LAN"    "sAMAccountName=username" sshPublicKey


Version-Release number of selected component (if applicable):
sssd - 1.16.0


How reproducible:

Steps to Reproduce:
1. Put Linux server is in FreeIPA domain (one-way trust with AD is already set up)
2. Put user in AD (add sshPublicKey)
3. sss_ssh_authorizedkeys username

Actual results:
None (command succeded, no debug info)

Expected results:
ssh-rsa AAAAAAAAAAA.....

Additional info:
Available upon request

Comment 2 Florence Blanc-Renaud 2018-07-06 09:49:43 UTC

Moving to component sssd as the utility 'sss_ssh_authorizedkeys' is provided by sssd packages.

Comment 3 Sumit Bose 2018-07-06 11:24:26 UTC

There is no default place in the AD LDAP schema to store SSH public keys hence SSSD on the IPA server does not read any related attribute by default.

To tell SSSD on the IPA server to read this attribute please add

[domain/your.ipa.domain/your.ad.domain]
ldap_user_ssh_public_key = sshPublicKey

to sssd.conf to read and store the sshPublicKey attribute for AD users from your.ad.domain. If there are multiple domains in you trusted AD forest with user with ssh keys you have to add a similar entry in sssd.conf for the other domains as well.

This must be done on all IPA servers (it would be sufficient to add it on the trust agents but it might lead to less confusion to do it on all servers). The IPA client do not need it because they will get the data directly from the IPA servers.

HTH

bye,
Sumit

Comment 4 josip.domsic+bugzilla 2018-07-09 08:34:34 UTC

Hi,

Unfortunately it didn't help.

Excerpt from /var/logs/sssd/sssd.log:

(Mon Jul  9 10:29:43:850778 2018) [sssd] [sss_ini_call_validators] (0x0020): [rule/allowed_subdomain_options]: Attribute 'ldap_user_ssh_public_key' is not allowed in section 'domain/IPA.DOMAIN/AD.DOMAIN'. Check for typos

sssd.conf
[domain/IPA.DOMAIN]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = rl.lan
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = HOSTNAME.IPA.DOMAIN
chpass_provider = ipa
ipa_server = HOSTNAME.IPA.DOMAIN
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt

[domain/IPA.DOMAIN/AD.DOMAIN]
ldap_user_ssh_public_key = sshPublicKey

[sssd]
services = sudo, nss, ifp, pam, ssh
domains = IPA.DOMAIN

[nss]
memcache_timeout = 600
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

Comment 5 Sumit Bose 2018-07-09 10:34:55 UTC

The two domain name given in the sub-domain section name must match exactly what SSSD use as domain names. Please call 'sssctl domain-list' to get the expected spelling. E.g.:

# sssctl domain-list
rhel75.devel
ChIlD.ad.devel
ad.devel

-> sssd.conf
...
[domain/rhel75.devel/ChIlD.ad.devel]
ldap_user_ssh_public_key = myChildAttrbuteName


If you switch on debug_level=9 you should see in the domain log the requested attributes:

...
(Mon Jul  9 12:28:12 2018) [sssd[be[rhel75.devel]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Mon Jul  9 12:28:12 2018) [sssd[be[rhel75.devel]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Mon Jul  9 12:28:12 2018) [sssd[be[rhel75.devel]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [myChildAttrbuteName]
(Mon Jul  9 12:28:12 2018) [sssd[be[rhel75.devel]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary]
(Mon Jul  9 12:28:12 2018) [sssd[be[rhel75.devel]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail]
(Mon Jul  9 12:28:12 2018) [sssd[be[rhel75.devel]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 5
...

HTH

bye,
Sumit

Comment 6 josip.domsic+bugzilla 2018-07-09 13:10:58 UTC

Hi,

Checked the spelling - everything as expected (no typos, all lowercase)
sudo sssctl domain-list
ipa.domain
ad.domain

The error in the logs is the same:

(Mon Jul  9 13:30:40:945930 2018) [sssd] [sss_ini_call_validators] (0x0020): [rule/allowed_subdomain_options]: Attribute 'ldap_user_ssh_public_key' is not allowed in section 'domain/ipa.domain/ad.domain'. Check for typos.


However, clearing cache helped...
sss_cache -E


And now that I see it, I can only login once after clearing cache. Is this expected?

Comment 7 Sumit Bose 2018-07-09 14:32:28 UTC

The debug message is shown because the validator is too picky.

Do I understand correctly that you can log in with ssh and pubkey authentication once and before you can log in a second time you have to call 'sss_cache -E'?

If run 'ssh ...', 'exit' cycles multiple times without issues. Can you added 'debug_level=9' to the [ssh] section of sssd.conf, restart SSSD, run your test again and attach /var/log/sssd/sssd_ssh.log to this ticket?

bye,
Sumit

Comment 8 josip.domsic+bugzilla 2018-07-10 12:39:57 UTC

Hi Sumit,

Yes, you understand correctly.

Logs attached. (only logs between running ssh and after successful/unsuccessful login) 

Success.txt:
1) cleared cache
2) restarted sssd.conf
3) run ssh
4) got bash

Fail.txt
1) logout
1) run ssh again
3) get prompted for password

Comment 9 josip.domsic+bugzilla 2018-07-10 12:41:09 UTC

Created attachment 1457811 [details]
Failed ssh with public-key from AD (after initial success)

Comment 10 josip.domsic+bugzilla 2018-07-10 12:41:53 UTC

Created attachment 1457813 [details]
Successful log to ssh server via AD public-key

Comment 11 josip.domsic+bugzilla 2018-07-10 12:46:58 UTC

Additionally, this only happens on ipa-servers (trust agents), and not other linux servers (ipa-clients).

Difference in configuration between ipa-servers and ipa-clients is in sssd.conf

[domain/ipa.domain/ad.domain]
ldap_user_ssh_public_key = sshPublicKey

(and of course ipa_server_mode = True, etc...)

Comment 12 Sumit Bose 2018-07-10 14:23:09 UTC

Thanks the logs do not show anything suspicious. Next would be to check the sshd logs. For this please add 'LogLevel DEBUG3' to /etc/ssh/sshd_config and restart sshd.

sshd will use the /usr/bin/sss_ssh_authorizedkeys command to get the allowed public keys from SSSD. I can see the following for a successful authentication in my logs:

Jul  9 16:30:12 ipaserver75 sshd[4503]: debug3: subprocess: AuthorizedKeysCommand command "/usr/bin/sss_ssh_authorizedkeys tu1" running as nobody
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug1: temporarily_use_uid: 99/99 (e=0/0)
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug1: restore_uid: 0/0
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug3: subprocess: AuthorizedKeysCommand pid 4506
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug1: temporarily_use_uid: 99/99 (e=0/0)
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug1: matching key found: file /usr/bin/sss_ssh_authorizedkeys, line 1 RSA SHA256:0yvy65NczeZGoKC7vDsfGdFie613hJu4FXDYm+HytNs
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug1: restore_uid: 0/0
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug3: mm_answer_keyallowed: key 0x55f499fb36a0 is allowed
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug3: mm_request_send entering: type 23
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug3: mm_key_verify entering [preauth]
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug3: mm_request_send entering: type 24 [preauth]
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth]
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug3: mm_request_receive_expect entering: type 25 [preauth]
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug3: mm_request_receive entering [preauth]
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug3: mm_request_receive entering
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug3: monitor_read: checking request 24
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug3: mm_answer_keyverify: key 0x55f499fb3510 signature verified
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug3: mm_request_send entering: type 25
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug3: mm_request_receive_expect entering: type 102
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug3: mm_request_receive entering
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug1: do_pam_account: called
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
Jul  9 16:30:12 ipaserver75 sshd[4503]: debug3: mm_request_send entering: type 103
Jul  9 16:30:12 ipaserver75 sshd[4503]: Accepted publickey for tu1 from ::1 port 54020 ssh2: RSA SHA256:0yvy65NczeZGoKC7vDsfGdFie613hJu4FXDYm+HytNs

Do you see any errors here?

Comment 14 Sumit Bose 2018-07-10 16:49:23 UTC

Thank you for the ssh logs. I assume the key gets removed from the cache during the access control check where SSSD unconditionally refreshes the user entry to make sure the group memberships of the user are up-to-date for the access control checks.

You could confirm this by calling "/usr/bin/sss_ssh_authorizedkeys USER" manually after logging in. Here no key should be returned. If that's the case I'd like to ask you to add debug_level=9 to the [domain/...] section of sssd.conf and restart SSSD.

Then login with ssh and public-key authentication and call the sss_ssh_authorizedkeys. Please attach the SSSD domain log file as a private attachement to this ticket (or send it to me directly if you prefer).

Comment 15 Sumit Bose 2018-07-11 08:06:13 UTC

I have an idea, maybe the second user lookup uses the Global Catalog, which does not have the sshPublicKey attribute replicated. I'll try to verify this in my setup as well.

Comment 16 josip.domsic+bugzilla 2018-07-11 08:23:43 UTC

Hi,

Yes, that is the case. (No key is returned after logging in, when manually calling sss_ssh_authorizedkeys USER).

Will upload the logs now.

Comment 17 josip.domsic+bugzilla 2018-07-11 08:51:16 UTC

So, I tried your suggestion:

sshPublicKey is set to "Replicate To Global Catalog" on ActiveDirectory.

It works now on ipa-servers as well. :)

Thank you!

Comment 18 Sumit Bose 2018-07-11 09:42:13 UTC

Oh, great, if it is easy for you to replicate sshPublicKey to the Global Catalog then this is the best solution.

The logs you send say 'Removing attribute [sshPublicKey]' when reading from the global catalog. This is kind of a known issue with the Global Catalog https://pagure.io/SSSD/sssd/issue/2474. But since we recently add support the read the list of replicated attributes (partial attribure set) we might now have a proper way to decide when to remove an attribute and when to keep it when getting data from the Global Catalog.

So there are two thing to fix:
 - the config validator should accept ldap_user_ssh_public_key (and I guess all other ldap_user_* and ldap_group_* options) for subdomain configuration
 - https://pagure.io/SSSD/sssd/issue/2474

Comment 19 Jakub Hrozek 2018-07-11 18:31:03 UTC

(In reply to Sumit Bose from comment #18)
> Oh, great, if it is easy for you to replicate sshPublicKey to the Global
> Catalog then this is the best solution.
> 
> The logs you send say 'Removing attribute [sshPublicKey]' when reading from
> the global catalog. This is kind of a known issue with the Global Catalog
> https://pagure.io/SSSD/sssd/issue/2474. But since we recently add support
> the read the list of replicated attributes (partial attribure set) we might
> now have a proper way to decide when to remove an attribute and when to keep
> it when getting data from the Global Catalog.
> 

Thank you for your detective work on this. I renamed the bug so that it's easier for us to see what is going on in the future.

> So there are two thing to fix:
>  - the config validator should accept ldap_user_ssh_public_key (and I guess
> all other ldap_user_* and ldap_group_* options) for subdomain configuration

https://pagure.io/SSSD/sssd/issue/3772

>  - https://pagure.io/SSSD/sssd/issue/2474

OK, I'll link this BZ with https://pagure.io/SSSD/sssd/issue/3538 as well.

Comment 20 Jakub Hrozek 2018-07-11 18:56:41 UTC

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/2474

Comment 21 Jakub Hrozek 2018-07-11 18:57:29 UTC

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3538

Comment 22 Jakub Hrozek 2019-02-06 21:32:51 UTC

*** Bug 1666042 has been marked as a duplicate of this bug. ***

Comment 23 Jakub Hrozek 2019-02-27 16:18:21 UTC

Upstream fixes:
    master:
        3cb9a3d
        b2352a0
        eaece8b
    sssd-1-16:
        f80dad6
        0b5a359
        8ffc64c

Comment 28 anuja 2019-08-20 06:42:28 UTC

Verified as per steps from comment #26 and comment #27

Verified Using Version:
ipa-server-4.8.0-8.module+el8.1.0+3977+ec23ef34.x86_64
sssd-ipa-2.2.0-11.el8.x86_64
------------------------------------------------------

[root@ipaqavmd ~]# grep "subdomain_homedir = %o" /etc/sssd/sssd.conf 
subdomain_homedir = %o
[root@ipaqavmd ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Redirecting to /bin/systemctl stop sssd.service
Redirecting to /bin/systemctl start sssd.service
[root@ipaqavmd ~]# 
[root@ipaqavmd ~]# getent initgroups -s sss bz1194345
bz1194345 1577600513
[root@ipaqavmd ~]# getent passwd bz1194345
bz1194345:*:1577620053:1577620053:bz1194345:/my/test/homedir:
[root@ipaqavmd ~]# 
[root@ipaqavmd ~]# grep "get_subdomain_homedir_of_user failed" /var/log/sssd/sssd_testrelm.test.log 
[root@ipaqavmd ~]# echo $?
1
[root@ipaqavmd ~]# 

As per fix after 'getent initgroups -s sss' there are no errors are reported in logs.
And the home directory is as expected after 'getent initgroups -s sss'
Based on this marking bz as verified.

Comment 30 errata-xmlrpc 2019-11-05 22:33:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3651

Note You need to log in before you can comment on or make changes to this bug.