1853703 – Unexpected behavior and issue with filter_users/filter_groups option [rhel-7.9.z]

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1853703 - Unexpected behavior and issue with filter_users/filter_groups option [rhel-7.9.z]

Summary: Unexpected behavior and issue with filter_users/filter_groups option [rhel-7....

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.8
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Sumit Bose
QA Contact:	Madhuri
Docs Contact:
URL:
Whiteboard:	sync-to-jira review qetodo
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-07-03 15:10 UTC by Akshay Sakure
Modified:	2023-10-07 10:09 UTC (History)
CC List:	13 users (show)
Fixed In Version:	sssd-1.16.5-10.el7_9.6
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-12-15 11:22:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 5238	0	None	closed	Unexpected behavior and issue with filter_users/filter_groups option	2020-12-30 15:45:38 UTC
Red Hat Issue Tracker	SSSD-2601	0	None	None	None	2023-10-07 10:09:56 UTC

Description Akshay Sakure 2020-07-03 15:10:29 UTC

Description of problem:
Add new option 'filter_subdomains = Yes/No', that can be added to filter the user list also for all subdomains handled by this domain section. 
Default is 'No' to keep it backwards compatible

Version-Release number of selected component (if applicable):
sssd

Comment 4 Sumit Bose 2020-07-06 08:42:28 UTC

Hi,

I do not see a reason for this RFE. If a short name, i.e. without a '@domain.name' part, is given with the 'filter_users' option this name should be filtered for all domains and sub-domains with given in the [nss] section and for the given domain and all its sub-domains when given in the [domain/...] section. I agree that the sssd.conf man page can be more specific about this.

If there is an issue with this behavior, please add logs with 'debug_level = 9' in the [nss] and [domain/...] sections which cover a 'getent passwd username' lookup for the name which is expected to be filtered out.

bye,
Sumit

Comment 5 Peter Vreman 2020-07-06 11:55:06 UTC

Bose,

Instead of a RFE it is then a Bug.
See the attached case for the discussion and sssd logs that shows that the filter_users in the [domain/...] section only adds the name to the negative cache for the domain itself and not for the subdomains.

Peter

Comment 6 Sumit Bose 2020-07-06 15:59:52 UTC

(In reply to Peter Vreman from comment #5)
> Bose,
> 
> Instead of a RFE it is then a Bug.
> See the attached case for the discussion and sssd logs that shows that the
> filter_users in the [domain/...] section only adds the name to the negative
> cache for the domain itself and not for the subdomains.

Hi,

if you are referring to your comment from "Tue, May 26, 2020, 1:00:08 PM GMT+2" this might be expected as long as the other domains are not discovered by the client. That's why it is important for me to see at least the full nss and domain logs with debug_level=9 to understand why the filtering does not work as expected. Would it be possible to add the logs I asked for in comment #4 to the case together with sssd.conf?

I tried to reproduce the issue with a sssd.conf very similar to yours but so far the filtering was working as expected with short names in the 'filter_users' option in the [domain/...] section.

bye,
Sumit

> 
> Peter

Comment 7 Peter Vreman 2020-07-06 16:25:28 UTC

Sumit, i have updated the case with the configuraiton used and a tarball with all sssd logs at debug_level 9.

Although this BZ was original created for RHEL7, but with the lifecycle status of RHEL7 i executed the reproducer on RHEL8 and gathered the logs on a RHEL8.2 server to make sure i had the latest sssd rnning and the behaviour was not changed yet in RHEL8.

Comment 8 Alexey Tikhonov 2020-07-07 09:43:14 UTC

JFTR: there is another open BZ wrt weird vehaviour of negative cache for sub-domain: bz 1828483

(sorry I didn't yet check if this is the same, merely a note to not miss this)

Comment 9 Sumit Bose 2020-07-07 18:36:50 UTC

(In reply to Peter Vreman from comment #7)
> Sumit, i have updated the case with the configuraiton used and a tarball
> with all sssd logs at debug_level 9.
> 
> Although this BZ was original created for RHEL7, but with the lifecycle
> status of RHEL7 i executed the reproducer on RHEL8 and gathered the logs on
> a RHEL8.2 server to make sure i had the latest sssd rnning and the behaviour
> was not changed yet in RHEL8.

Hi,

thanks for sssd.conf and the logs. It looks like if 'filter_users' is used in the [nss] and [domain/...] section to options are not merge together properly. I wonder if you can check if it works better if you remove/comment-out 'filter_users' in the [nss] section?

bye,
Sumit

Comment 10 Sumit Bose 2020-07-08 13:02:37 UTC

Hi,

I have opened https://github.com/SSSD/sssd/issues/5238 to track the fixes for the observed issues.

bye,
Sumit

Comment 11 Alexey Tikhonov 2020-07-09 09:06:03 UTC

Setting needinfo based on the comment 9

Comment 12 Peter Vreman 2020-07-10 12:50:20 UTC

The requested test of using filter_users on in [domain/...] executed. Updated conf andlogs with debug_level=9 were provided in the attached case.

Summary of test result: With the filter_users=heat on in [domain/...] the filter_users is apply to All domains, including the files domain that should not be part of the fiultering.

Comment 16 Alexey Tikhonov 2020-10-12 18:27:50 UTC

Upstream PR: https://github.com/SSSD/sssd/pull/5361

Comment 18 Pavel Březina 2020-11-12 10:23:15 UTC

Pushed PR: https://github.com/SSSD/sssd/pull/5361

* `master`
    * fa4b46e7de7297da3c0e37913eab8cba7f103629 - negcache: do not use default_domain_suffix
    * 0dc81a52e2836010974e9f71b1f3e47c20fd498d - negcache: make sure short names are added to sub-domains
    * 385af99ff4d5a75d0c1edc9ad830da3eb7478295 - utils: add SSS_GND_SUBDOMAINS flag for get_next_domain()
    * 0e1bcf77bd73baa0fea64830eb1f4f65a63c7afe - negcache: make sure domain config does not leak into global
* `sssd-1-16`
    * 56d509ad3001101f04c4af050c3da7472032e4cb - negcache: do not use default_domain_suffix
    * c3207deee7411456827e69d0b72d7d44e7458853 - negcache: make sure short names are added to sub-domains
    * ea32d0eb61336858aa23697b4e91d420481fc3e2 - utils: add SSS_GND_SUBDOMAINS flag for get_next_domain()
    * 96bdcbb4441ddf05c065bbafa88e5691300424d1 - negcache: make sure domain config does not leak into global

Comment 23 Madhuri 2020-12-04 16:31:38 UTC

Reproduce with :

sssd-1.16.5-10.el7_9.5.x86_64 

Reproduction steps:
1) Create Ad forest add the corresponding user in each domain

2) Add filter_users/filter_groups in root domain with added user or group
also add filter_users/filter_groups in [nss] section with 
filter_users =  child_user1 with non existing users/groups

[sssd]
config_file_version = 2
services = nss, pam
domains = t3for12r79.com

[domain/t3for12r79.com]
id_provider = ad
ad_domain = t3for12r79.com
cache_credentials = True
krb5_store_password_if_offline = True
use_fully_qualified_names = True
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
krb5_auth_timeout = 15
debug_level = 9
filter_users =  child_user1

[nss]
debug_level = 9
filter_users =  abc


3) check user/group lookup

[root@client1 ~]# getent passwd child_user1.com
child_user1.com:*:954201113:954201113:child_user1:/home/t3cfor12r79.t3for12r79.com/child_user1:/bin/bash


with 
[root@client1 ~]# cat /etc/sssd/sssd.conf | grep filter
filter_groups =  child_nested_group2
filter_groups =  xyz

[root@client1 ~]# getent group child_nested_group2.com
child_nested_group2.com:*:954201120:tree_user1,user1


4) update the sssd with the latest version:
from yum.log,

Dec 04 11:02:31 Updated: libsss_idmap-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: python-sssdconfig-1.16.5-10.el7_9.6.noarch
Dec 04 11:02:31 Updated: libsss_nss_idmap-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: sssd-client-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: libsss_sudo-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: libipa_hbac-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: libsss_autofs-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: sssd-common-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: sssd-krb5-common-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: sssd-common-pac-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: sssd-ad-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: sssd-ipa-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: sssd-krb5-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: sssd-ldap-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: python-sss-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: sssd-proxy-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:31 Updated: sssd-dbus-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:32 Updated: libsss_simpleifp-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:32 Updated: sssd-tools-1.16.5-10.el7_9.6.x86_64
Dec 04 11:02:32 Updated: sssd-1.16.5-10.el7_9.6.x86_64


5) check user and group lookup again,

[root@client1 ~]# getent group child_nested_group2.com

[root@client1 ~]# getent passwd child_user1.com

User and group lookup is not successful,
thus marking this bug to verify.

Comment 27 errata-xmlrpc 2020-12-15 11:22:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5459

Note You need to log in before you can comment on or make changes to this bug.