Bug 2102852
| Summary: | 'ipa hbactest' fails (shows 'False') for trusted AD users if nested groups are used in HBAC rules (though actual login access works) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Akshay Sakure <asakure> |
| Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> |
| Status: | CLOSED MIGRATED | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.9 | CC: | pkulkarn, rakkumar, rcritten, tscherf |
| Target Milestone: | rc | Keywords: | MigratedToJIRA |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-09-18 20:32:37 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Can you provide more details? Are the groups defined on AD side or on IdM side? If they are on AD side, did the customer define an external group on IdM side containing the AD group AND a posix group on IdM side containing the external group? Please share the output of ipa group-show for the relevant groups. Is the trust a POSIX trust or non-POSIX trust (ie with SID mapping)? So far I wasn't able to reproduce the issue. Example with - a user defined in AD: aduser - in AD, the user is a member of the group adrolegroup - in AD, the group is a member of the group addelegationgroup On IdM side: - trust created with AD as a non-posix trust - external group addelegationgroup_ext that contains addelegationgroup: ipa group-add --external addelegationgroup_ext ipa group-add-member addelegationgroup_ext --external addelegationgroup - posix group addelegationgroup_posix that contains the external group addelegationgroup_ext ipa group-add addelegationgroup_posix ipa group-add-member addelegationgroup_posix --groups addelegationgroup_ext - HBAC rule applying to the posix group, allwing access to the host master.testrelm.test: ipa hbacrule-add access_to_master --servicecat=all ipa hbacrule-add-host access_to_master --hosts master.testrelm.test ipa hbacrule-add-user --groups addelegationgroup_posix access_to_master - Testing of the HBAC rule: ipa hbactest --user aduser --host master.testrelm.test --service ssh -------------------- Access granted: True -------------------- Matched rules: access_to_master Not matched rules: allow_systemd-user Packages: ipa-server-4.6.8-5.el7_9.11.x86_64 sssd-client-1.16.5-10.el7_9.13.x86_64 Please also note that if the format AD.TEST\aduser is used in the command, you need to escape the \ (either with another \ or by using quotes): [root@master ~]# ipa hbactest --user AD.TEST\aduser --host master.testrelm.test --service ssh --------------------- Access granted: False --------------------- Not matched rules: access_to_master Not matched rules: allow_systemd-user [root@master ~]# ipa hbactest --user AD.TEST\\aduser --host master.testrelm.test --service ssh -------------------- Access granted: True -------------------- Matched rules: access_to_master Not matched rules: allow_systemd-user [root@master ~]# ipa hbactest --user 'AD.TEST\aduser' --host master.testrelm.test --service ssh -------------------- Access granted: True -------------------- Matched rules: access_to_master Not matched rules: allow_systemd-user The customer is using a wrong format when providing the AD users: ipa hbactest --user=odin.prod//b10052674 --host=srv01200.linux.odin.prod --service=sshd The right formats are either b10052674 or odin.prod\\b10052674 (with anti-slash, not slash). Please retry with the right format and update the case with fresh sos reports if the failure still happens. Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug. This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there. Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information. To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like: "Bugzilla Bug" = 1234567 In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information. |
Description of problem: 'ipa hbactest' fails (shows 'False') for trusted AD users if nested groups are used in HBAC rules (but actual login access works) Version-Release number of selected component (if applicable): ipa-admintools-4.4.0-14.el7_3.7.noarch.rpm ipa-server-4.6.8-5.el7_9.11.x86_64.rpm How reproducible: Always Steps to Reproduce: AD delegation groups -----> AD role groups -----> AD users \ \---------------> other AD delegation group (HBAC rule applied on AD delegation group work but hbactest fails) Actual results: HBAC test fails but actual authentication/access works based on HBAC rule. Expected results: HBAC rule should pass and show results as "True". Additional info: