It was found that if an account was created with a name corresponding to an account local to a system, such as 'root', was created via IPA, such account could access any enrolled machine with that account, and the local system privileges. This also bypass the absence of explicit HBAC rules. If an attacker was able to create or influence the creation of a username in such a way that it corresponds to a privileged local account for a system, the attacker could use the newly created account to access the system, inheriting the privileges corresponding to the local account.
Without any details on the scenario it is impossible to understand what 'flaw' is described here. Please take at least some time to substantiate your claims.
For now this bug is for investigation only, more information will be shared soon.
We cannot investigate without additional information. Can you at least provide a reproducer and example?
Acknowledgments: Name: Julian Catrambone, Mike Losapio
Created freeipa tracking bugs for this issue: Affects: fedora-all [bug 1847097]
External References: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/defining-roles
Statement: Roles are used to classify permitted actions but are not used as a tool to implement privilege separation or to protect from privilege escalation. As a result, using privileges to gain additional privileges is not something considered unexpected. This bug has been rejected as a security flaw. Users with privileges should be reserved to trusted persons.