RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1874015 - ipa hbacrule-add-service --hbacsvcs=sshd is not applied successfully for subdomain
Summary: ipa hbacrule-add-service --hbacsvcs=sshd is not applied successfully for subd...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: slapi-nis
Version: 8.3
Hardware: Unspecified
OS: Unspecified
urgent
unspecified
Target Milestone: rc
: 8.0
Assignee: Alexander Bokovoy
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-31 10:29 UTC by anuja
Modified: 2021-09-03 15:13 UTC (History)
13 users (show)

Fixed In Version: slapi-nis-0.56.5-4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-04 02:51:33 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4670 0 None None None 2020-11-04 02:51:44 UTC

Description anuja 2020-08-31 10:29:52 UTC
Description of problem:
ipa hbacrule-add-service --hbacsvcs=sshd is not applied successfully.

Version-Release number of selected component (if applicable):
ipa-server-4.8.7-10.module+el8.3.0+7702+ced5f219.x86_64
sssd-ipa-2.3.0-8.el8.x86_64

How reproducible:
Always

Steps to Reproduce:
Establish trust with :
ipa trust-add ad2016.test --admin --range-type=ipa-ad-trust --password --two-way=True

Then :
ipa group-add --desc=0 hbacgroup_external --external
ipa group-add --desc=0 hbacgroup
ipa group-add-member hbacgroup --groups=hbacgroup_external
ipa group-add-member hbacgroup_external             --external='aduser1.test' --users='' --groups=''
service sssd stop; rm -rf /var/lib/sssd/{db,mc}/*; service sssd start
ipa hbacrule-add hbacrule_05 --hostcat=all
ipa hbacrule-add-service hbacrule_05 --hbacsvcs=sshd
ipa hbacrule-add-user hbacrule_05 --groups=hbacgroup
ipa hbacrule-disable allow_all

On client :
1.  ssh -l "aduser1.test" client.ipa.test "echo 'login successful'"
Actual results:

[root@client ~]# ssh -l "aduser1.test" client.ipa.test "echo 'login successful'"
Password: 
Connection closed by UNKNOWN port 65535

Expected results:
ssh login should be successful.
Or hbacrule should be applied successfully.

Comment 1 Alexander Bokovoy 2020-08-31 10:37:09 UTC
I did initial investigation using the systems provided by Anuja and it looks like a bug in SSSD. After restarting SSSD on IPA master, a request to resolve group membership for aduser1.test returns 'hbacgroup' group and HBAC rules match on the client. Prior to that, SSSD on IPA master complains that it is in offline mode.

Anuja, please provide all the logs from both systems.

Comment 4 Sumit Bose 2020-09-03 09:38:21 UTC
Hi,

please add directory server logs from the same time as well. The offline mode was cause by a timeout in a ldapsearch operation at 2020-08-31  5:34:24 which timed out after 6s and a timeout inthe following rebind at 2020-08-31  5:34:30 times out after 8s.

bye,
Sumit

Comment 22 Alexander Bokovoy 2020-09-12 09:19:16 UTC
PR: https://pagure.io/slapi-nis/pull-request/40

Thierry, please review. It works for me with the reproducer in description. Even though I see messages about sssd being offline while resolving hbacgroup, they eventually stop and sssd is able to process the request and then authorize AD user.

(2020-09-12  9:17:21): [be[ipa.test]] [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [hbacgroup] to rule [hbacrule_05]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [hbacrule_05]
(2020-09-12  9:17:21): [be[ipa.test]] [sysdb_merge_res_ts_attrs] (0x2000): TS cache doesn't handle this DN type, skipping
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [hbacrule_05]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [hbacrule_05]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_get_category] (0x0200): Category is set to 'all'.
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [hbacrule_05]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL
(2020-09-12  9:17:21): [be[ipa.test]] [sss_domain_get_state] (0x1000): Domain ipa.test is Active
(2020-09-12  9:17:21): [be[ipa.test]] [sss_domain_get_state] (0x1000): Domain win2016.test is Active
(2020-09-12  9:17:21): [be[ipa.test]] [sss_domain_get_state] (0x1000): Domain sub1.win2016.test is Active
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_eval_user_element] (0x1000): [4] groups for [Administrator.test]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_eval_user_element] (0x0200): Skipping non-IPA group name=S-1-5-21-2877222182-2128305802-2069601073-512.test,cn=groups,cn=sub1.win2016.test,cn=sysdb
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_eval_user_element] (0x0200): Skipping non-IPA group name=S-1-5-21-2877222182-2128305802-2069601073-513.test,cn=groups,cn=sub1.win2016.test,cn=sysdb
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_eval_user_element] (0x0200): Skipping non-IPA group name=S-1-5-21-2877222182-2128305802-2069601073-520.test,cn=groups,cn=sub1.win2016.test,cn=sysdb
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_eval_user_element] (0x1000): Added group [hbacgroup] for user [Administrator]
(2020-09-12  9:17:21): [be[ipa.test]] [sysdb_merge_res_ts_attrs] (0x2000): TS cache doesn't handle this DN type, skipping
(2020-09-12  9:17:21): [be[ipa.test]] [sysdb_merge_res_ts_attrs] (0x2000): TS cache doesn't handle this DN type, skipping
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_evaluate] (0x0100): [< hbac_evaluate()
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_req_debug_print] (0x2000):  REQUEST:
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_request_element_debug_print] (0x2000):              service [sshd]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_request_element_debug_print] (0x2000):              service_group (none)
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_request_element_debug_print] (0x2000):              user [Administrator]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_request_element_debug_print] (0x2000):              user_group:
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_request_element_debug_print] (0x2000):                      [hbacgroup]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_request_element_debug_print] (0x2000):              targethost [master.ipa.test]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_request_element_debug_print] (0x2000):              targethost_group:
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_request_element_debug_print] (0x2000):                      [ipaservers]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_request_element_debug_print] (0x2000):              srchost [10.0.155.22]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_request_element_debug_print] (0x2000):              srchost_group (none)
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_req_debug_print] (0x2000):          request time 2020-09-12 09:17:21
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_debug_print] (0x2000):         RULE [allow_systemd-user] [ENABLED]:
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_debug_print] (0x2000):         services:
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000):                 category [0] [NONE]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000):                 services_names:
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000):                         [systemd-user]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000):                 services_groups (none)
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_debug_print] (0x2000):         users:
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000):                 category [0x1] [ALL]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_debug_print] (0x2000):         targethosts:
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000):                 category [0x1] [ALL]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_debug_print] (0x2000):         srchosts:
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000):                 category [0x1] [ALL]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_evaluate] (0x0100): The rule [allow_systemd-user] did not match.
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_debug_print] (0x2000):         RULE [hbacrule_05] [ENABLED]:
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_debug_print] (0x2000):         services:
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000):                 category [0] [NONE]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000):                 services_names:
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000):                         [sshd]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000):                 services_groups (none)
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_debug_print] (0x2000):         users:
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000):                 category [0] [NONE]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000):                 users_names (none)
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000):                 users_groups:
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000):                         [hbacgroup]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_debug_print] (0x2000):         targethosts:
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000):                 category [0x1] [ALL]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_debug_print] (0x2000):         srchosts:
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_rule_element_debug_print] (0x2000):                 category [0x1] [ALL]
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_evaluate] (0x0100): ALLOWED by rule [hbacrule_05].
(2020-09-12  9:17:21): [be[ipa.test]] [hbac_evaluate] (0x0100): hbac_evaluate() >]
(2020-09-12  9:17:21): [be[ipa.test]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [hbacrule_05]

Comment 26 Alexander Bokovoy 2020-09-12 10:49:48 UTC
Green upstream CI run: https://dev.azure.com/abbra1freeipa/slapi-nis/_build/results?buildId=484&view=results

Comment 33 Alexander Bokovoy 2020-09-16 14:23:45 UTC
Merged upstream.

Comment 41 errata-xmlrpc 2020-11-04 02:51:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4670


Note You need to log in before you can comment on or make changes to this bug.