1786341 – SSSD doesn't honour the customized ID view created in IPA

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1786341 - SSSD doesn't honour the customized ID view created in IPA

Summary: SSSD doesn't honour the customized ID view created in IPA

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Pavel Březina
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-12-24 14:33 UTC by Ming Davies
Modified:	2024-04-14 04:25 UTC (History)
CC List:	15 users (show)
Fixed In Version:	sssd-1.16.5-2.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1826720 (view as bug list)
Environment:
Last Closed:	2020-09-29 19:49:11 UTC
Target Upstream Version:
Embargoed:
Flags:	striker: needinfo-

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 5128	None	closed	SSSD doesn't honour the customized ID view created in IPA	2021-01-05 08:47:12 UTC
Red Hat Issue Tracker	SSSD-2173	None	None	None	2023-09-07 21:22:31 UTC
Red Hat Issue Tracker	SSSD-2357	None	None	None	2023-09-07 21:22:41 UTC
Red Hat Product Errata	RHBA-2020:3904	None	None	None	2020-09-29 19:50:15 UTC

Description Ming Davies 2019-12-24 14:33:44 UTC

Description of problem:
SSSD doesn't honour the customized ID view created in IPA. 
The trust AD users lose their AD domains roughly 5minutes later, which cause problem with sudorule as the sudorule is defined for the <ad accountname>@<AD domain>.

Version-Release number of selected component (if applicable):
sssd-1.16.4-21.el7_7.1.x86_64
sssd-client-1.16.4-21.el7_7.1.x86_64
sssd-ipa-1.16.4-21.el7_7.1.x86_64
sssd-ad-1.16.4-21.el7_7.1.x86_64


How reproducible:
The issue can easily be reproduced.


Steps to Reproduce:
1. Establish AD trust with IPA
2. Create a customized ID view on the IPA server 
# ipa idview-show "Madrid Trust View" --all
  dn: cn=Madrid Trust View,cn=views,cn=accounts,dc=lx,dc=testdomain,dc=com
  ID View Name: Madrid Trust View
  User object overrides: bmorgan.com, cmorgan.com
  Hosts the view applies to: ipaclient.lx.testdomain.com
  objectclass: ipaIDView, top, nsContainer

3. Override the uid, gid and home directory for a trust AD user on the IPA server :
# ipa idoverrideuser-show  "Madrid Trust View"  "bmorgan.com" --all
  dn: ipaanchoruuid=:SID:S-1-5-21-2806753506-2769157711-2121680027-1108,cn=Madrid Trust View,cn=views,cn=accounts,dc=lx,dc=testdomain,dc=com
  Anchor to override: bmorgan.com
  UID: 10001
  GID: 10000
  Home directory: /home/bmorgan
  ipaoriginaluid: bmorgan.com
  objectclass: ipaOverrideAnchor, top, ipaUserOverride, ipasshuser, ipaSshGroupOfPubKeys


4. Stop the SSSD, clear the old SSSD cache and restart SSSD on a IPA client
# date; rm -rf /var/log/sssd/*  /var/lib/sss/{mc,db}/*
Tue 24 Dec 11:27:51 GMT 2019
# date; systemctl start sssd
Tue 24 Dec 11:28:40 GMT 2019


5. As root on the IPA client:
# ldbsearch -H cache_lx.testdomain.com.ldb > /var/tmp/ldbsearch-before.txt
asq: Unable to register control with rootdse!
# ldbsearch -H timestamps_lx.testdomain.com.ldb > /var/tmp/ldbsearch-before-timestamp.txt 
# date; sssctl user-checks bmorgan.com
Tue 24 Dec 11:30:54 GMT 2019
user: bmorgan.com
action: acct
service: system-auth

SSSD nss user lookup result:
 - user name: bmorgan.com
 - user id: 10001
 - group id: 10000
 - gecos: Beth Morgan
 - home directory: /home/bmorgan
 - shell: 

SSSD InfoPipe user lookup result:
 - name: bmorgan.com
 - uidNumber: 10001
 - gidNumber: 10000
 - gecos: Beth Morgan
 - homeDirectory: /home/bmorgan
 - loginShell: 

testing pam_acct_mgmt

pam_acct_mgmt: Success

PAM Environment:
 - no env -
# date; sssctl user-show bmorgan.com
Tue 24 Dec 11:31:02 GMT 2019
Name: bmorgan.com
Cache entry creation date: 12/24/19 11:28:45
Cache entry last update time: 12/24/19 11:30:54
Cache entry expiration time: 12/24/19 13:00:54
Initgroups expiration time: 12/24/19 13:00:54
Cached in InfoPipe: No


6. As the trusted AD user on the IPA client:
# su - bmorgan.com
Creating home directory for bmorgan.com.
Last login: Tue Dec 24 11:04:46 GMT 2019 on pts/1
-sh-4.2$ date; ls -al
Tue 24 Dec 11:29:05 GMT 2019
total 12
drwx------. 5 bmorgan.com adminfr 107 Dec 24 11:28 .
drwxr-xr-x. 4 root                      root     33 Dec 24 11:28 ..
-rw-------. 1 bmorgan.com adminfr  18 Dec 24 11:28 .bash_logout
-rw-------. 1 bmorgan.com adminfr 193 Dec 24 11:28 .bash_profile
-rw-------. 1 bmorgan.com adminfr 231 Dec 24 11:28 .bashrc
drwxr-xr-x. 3 bmorgan.com adminfr  18 Dec 24 11:28 .cache
drwxr-xr-x. 3 bmorgan.com adminfr  18 Dec 24 11:28 .config
drwx------. 4 bmorgan.com adminfr  39 Dec 24 11:28 .mozilla
-sh-4.2$ date; ls -an
Tue 24 Dec 11:29:21 GMT 2019
total 12
drwx------. 5 10001 10000 107 Dec 24 11:28 .
drwxr-xr-x. 4     0     0  33 Dec 24 11:28 ..
-rw-------. 1 10001 10000  18 Dec 24 11:28 .bash_logout
-rw-------. 1 10001 10000 193 Dec 24 11:28 .bash_profile
-rw-------. 1 10001 10000 231 Dec 24 11:28 .bashrc
drwxr-xr-x. 3 10001 10000  18 Dec 24 11:28 .cache
drwxr-xr-x. 3 10001 10000  18 Dec 24 11:28 .config
drwx------. 4 10001 10000  39 Dec 24 11:28 .mozilla
-sh-4.2$ date; getent passwd 10001
Tue 24 Dec 11:29:30 GMT 2019
bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan:
-sh-4.2$ date; id
Tue 24 Dec 11:29:43 GMT 2019
uid=10001(bmorgan.com) gid=10000(adminfr) groups=10000(adminfr),130800513(domain users.com),130801109(employees.com),926800005(madrid_admins),926800006(madrid_adminfr_internal) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.2$ date; sudo -ll
Tue 24 Dec 11:29:50 GMT 2019
[sudo] password for bmorgan.com: 
Matching Defaults entries for bmorgan.com on ipa76client:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User bmorgan.com may run the following commands on ipaclient:

LDAP Role: madrid-sudorule
    RunAsUsers: root
    Commands:
	/usr/bin/less
	!/usr/bin/chcon

-sh-4.2$ date; strings /var/lib/sss/mc/passwd
Tue 24 Dec 11:30:03 GMT 2019
bmorgan.com      <<<<<<<<<<<<<<<<<<<<<<
Beth Morgan
/home/bmorgan
-sh-4.2$ while true;
> do date; getent passwd 10001; sleep 30; done | tee -a /var/tmp/b.txt
Tue 24 Dec 11:30:23 GMT 2019
bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan:
Tue 24 Dec 11:30:53 GMT 2019
bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan:
Tue 24 Dec 11:31:23 GMT 2019
bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan:
Tue 24 Dec 11:31:53 GMT 2019
bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan:
Tue 24 Dec 11:32:23 GMT 2019
bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan:
Tue 24 Dec 11:32:53 GMT 2019
bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan:
Tue 24 Dec 11:33:23 GMT 2019
bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan:
Tue 24 Dec 11:33:53 GMT 2019
bmorgan:*:10001:10000:Beth Morgan:/home/bmorgan:   <<<<<<<<<<<<<<<<<<<<Roughly five minutes later>>>>>>>>>>>>>>>>>>>>>>>>
Tue 24 Dec 11:34:23 GMT 2019
bmorgan:*:10001:10000:Beth Morgan:/home/bmorgan:
Tue 24 Dec 11:34:53 GMT 2019
bmorgan:*:10001:10000:Beth Morgan:/home/bmorgan:
Tue 24 Dec 11:35:23 GMT 2019
bmorgan:*:10001:10000:Beth Morgan:/home/bmorgan:
^C
-sh-4.2$  date; ls -al
Tue 24 Dec 11:35:47 GMT 2019
total 16
drwx------. 5 bmorgan adminfr 128 Dec 24 11:35 .
drwxr-xr-x. 4 root    root     33 Dec 24 11:28 ..
-rw-------. 1 bmorgan adminfr 207 Dec 24 11:35 .bash_history
-rw-------. 1 bmorgan adminfr  18 Dec 24 11:28 .bash_logout
-rw-------. 1 bmorgan adminfr 193 Dec 24 11:28 .bash_profile
-rw-------. 1 bmorgan adminfr 231 Dec 24 11:28 .bashrc
drwxr-xr-x. 3 bmorgan adminfr  18 Dec 24 11:28 .cache
drwxr-xr-x. 3 bmorgan adminfr  18 Dec 24 11:28 .config
drwx------. 4 bmorgan adminfr  39 Dec 24 11:28 .mozilla
-sh-4.2$ date; ls -an
Tue 24 Dec 11:35:55 GMT 2019
total 16
drwx------. 5 10001 10000 128 Dec 24 11:35 .
drwxr-xr-x. 4     0     0  33 Dec 24 11:28 ..
-rw-------. 1 10001 10000 207 Dec 24 11:35 .bash_history
-rw-------. 1 10001 10000  18 Dec 24 11:28 .bash_logout
-rw-------. 1 10001 10000 193 Dec 24 11:28 .bash_profile
-rw-------. 1 10001 10000 231 Dec 24 11:28 .bashrc
drwxr-xr-x. 3 10001 10000  18 Dec 24 11:28 .cache
drwxr-xr-x. 3 10001 10000  18 Dec 24 11:28 .config
drwx------. 4 10001 10000  39 Dec 24 11:28 .mozilla
-sh-4.2$ date; getent passwd 10001
Tue 24 Dec 11:36:00 GMT 2019
bmorgan:*:10001:10000:Beth Morgan:/home/bmorgan:
-sh-4.2$ date; id
Tue 24 Dec 11:36:05 GMT 2019
uid=10001(bmorgan) gid=10000(adminfr) groups=10000(adminfr),130800513(domain users.com),130801109(employees.com),926800005(madrid_admins),926800006(madrid_adminfr_internal) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.2$  date; sudo -ll
Tue 24 Dec 11:36:09 GMT 2019

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for bmorgan: 
Sorry, try again.
[sudo] password for bmorgan: 
Sorry, try again.
[sudo] password for bmorgan: 
sudo: 3 incorrect password attempts
-sh-4.2$ date; strings /var/lib/sss/mc/passwd
Tue 24 Dec 11:36:33 GMT 2019
bmorgan                      <<<<<<<<<<<<<<<<<<<<<<<
Beth Morgan
/home/bmorgan


One interesting point, running "id -a bmorgan.com" as ROOT seems to fix the issue temporarily.

Actual results:


Expected results:


Additional info:
No problem with the "Default trust view"

Comment 3 Ming Davies 2020-01-14 07:29:30 UTC

Any updates please?

Comment 12 Pavel Březina 2020-03-24 12:04:25 UTC

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/4173

Comment 13 Pavel Březina 2020-03-25 11:19:59 UTC

Upstream PR:
https://github.com/SSSD/sssd/pull/1011

Comment 18 Pavel Březina 2020-04-22 11:11:37 UTC

* `master`
    * 1b84c3a1f17f59e134bb882f0f15109d18599193 - sysdb: check if the id override belongs to requested domain
* `sssd-1-16`
    * a63e00fd3464524c012687c85cd67fa0468ba913 - sysdb: check if the id override belongs to requested domain

Comment 21 anuja 2020-06-08 09:39:36 UTC

Verification Steps:
1. Establish AD trust with IPA
2. Create a customized ID view on the IPA server
3. Override the uid, gid and home directory for a trust AD user on the IPA
4. Stop the SSSD, clear the old SSSD cache and restart SSSD on a IPA client
5. su - aduser
6. sh script.sh
6. cat script.sh
x=1
while [ $x -le 15 ]
do
pwd
getent passwd 10001 | grep -w "aduser1"
if [ $? -ne 0 ]; then
    echo "1786341 found at count $x"
    break
fi
x=$(( $x + 1 ))
sleep 30
done
------------------------------------------------------------------
Reproduced Using:
ipa-server-4.6.4-10.el7_6.6.x86_64
sssd-1.16.2-13.el7_6.8.x86_64

Console Logs: 
2020-06-08T07:12:09+0000 + ipa idoverrideuser-mod 'Madrid Trust View' aduser1 --uid=10001 --gid=10000 --homedir=/home/aduser1
2020-06-08T07:12:09+0000 ---------------------------------------------------
2020-06-08T07:12:09+0000 Modified an User ID override "aduser1"
2020-06-08T07:12:09+0000 ---------------------------------------------------
2020-06-08T07:12:09+0000   Anchor to override: aduser1
2020-06-08T07:12:09+0000   UID: 10001
2020-06-08T07:12:09+0000   GID: 10000
2020-06-08T07:12:09+0000   Home directory: /home/aduser1

On ipa-client
---------------------------------------------------------------------
#rm -rf /var/lib/sss/db/cache_ipa.test.ldb /var/lib/sss/db/ccache_IPA.TEST /var/lib/sss/db/config.ldb /var/lib/sss/db/sssd.ldb /var/lib/sss/db/timestamps_ipa.test.ldb /var/lib/sss/mc/group /var/lib/sss/mc/initgroups /var/lib/sss/mc/passwd
#su - aduser1 -c 'sh script.sh'

2020-06-08T07:12:13+0000 /home/aduser1
2020-06-08T07:12:13+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
...
...
2020-06-08T07:17:43+0000 /home/aduser1
2020-06-08T07:17:43+0000 1786341 found at count 12
Reproduced with 5 minutes
----------------------------------------------------------------------

Verified Using:
----------------------------------------------------------------------

sssd-1.16.5-10.el7.x86_64
ipa-server-4.6.8-4.el7.x86_64

2020-06-08T07:58:22+0000 /home/aduser1
2020-06-08T07:58:22+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T07:58:52+0000 /home/aduser1
2020-06-08T07:58:52+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T07:59:22+0000 /home/aduser1
2020-06-08T07:59:22+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T07:59:52+0000 /home/aduser1
2020-06-08T07:59:52+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:00:22+0000 /home/aduser1
2020-06-08T08:00:22+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:00:52+0000 /home/aduser1
2020-06-08T08:00:52+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:01:22+0000 /home/aduser1
2020-06-08T08:01:22+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:01:52+0000 /home/aduser1
2020-06-08T08:01:52+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:02:22+0000 /home/aduser1
2020-06-08T08:02:22+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:02:52+0000 /home/aduser1
2020-06-08T08:02:52+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:03:22+0000 /home/aduser1
2020-06-08T08:03:22+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:03:52+0000 /home/aduser1
2020-06-08T08:03:52+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:04:22+0000 /home/aduser1
2020-06-08T08:04:22+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:04:52+0000 /home/aduser1
2020-06-08T08:04:52+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
2020-06-08T08:05:22+0000 /home/aduser1
2020-06-08T08:05:22+0000 aduser1:*:10001:10000:aduser1:/home/aduser1:
Not able to reproduce with 6 minutes. 
Based on this marking bz as verified.

Comment 23 errata-xmlrpc 2020-09-29 19:49:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3904

Comment 24 Red Hat Bugzilla 2024-04-14 04:25:21 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.