Red Hat Bugzilla – Bug 696972
[REGRESSION] Filters not honoured against fully-qualified users.
Last modified: 2015-01-04 18:48:06 EST
Description of problem: Version-Release number of selected component (if applicable): sssd-1.5.1-28.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Use "filter_users = root, puser1" in sssd.conf (see Additional info for sssd.conf) 2. restart sssd clearing cache. 3. getent -s sss passwd puser1 - enumeration fails as expected. 4. getent -s sss passwd puser1@LDAP - enumeration succeeds, not as expected. 5. # ssh -l puser1 localhost puser1@localhost's password: Permission denied, please try again, as expected 6. # ssh -l puser1@LDAP localhost uname -a puser1@LDAP@localhost's password: id: cannot find name for group ID 1001 id: cannot find name for user ID 1001 Linux gsr.redhat.com 2.6.32-122.el6.x86_64 #1 SMP Wed Mar 9 23:54:34 EST 2011 x86_64 x86_64 x86_64 GNU/Linux Actual results: - Authentication successful and remote command executed successfully. Expected results: - Permission denied as the user is filtered out. Additional info: [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = LDAP [nss] filter_groups = root, Group1 filter_users = root, puser1 reconnection_retries = 3 debug_level = 9 [pam] reconnection_retries = 3 debug_level = 9 [domain/LDAP] id_provider = ldap auth_provider = ldap ldap_uri = ldaps://sssdldap.redhat.com:636 ldap_search_base = dc=example,dc=com ldap_tls_reqcert = demand ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc ldap_group_nesting_level = 4 cache_credentials = true enumerate = false debug_level = 9 ldap_default_bind_dn = cn=Directory Manager ldap_default_authtok_type = password ldap_default_authtok = Secret123
Relevant sssd.conf section: [domain/LDAP] id_provider = ldap auth_provider = ldap ldap_uri = ldaps://sssdldap.redhat.com:636 ldap_search_base = dc=example,dc=com ldap_tls_reqcert = demand ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc ldap_group_nesting_level = 4 cache_credentials = true enumerate = false debug_level = 9 ldap_default_bind_dn = cn=Directory Manager ldap_default_authtok_type = password ldap_default_authtok = Secret123 filter_groups = root, Group1 filter_users = root, puser1 # getent -s sss passwd puser1@LDAP # getent group Group1@LDAP # User not enumerated, as expected. # ssh -l puser1@LDAP localhost uname -a puser1@LDAP@localhost's password: Permission denied, please try again. /var/log/sssd/sssd_nss.log: (Mon Apr 18 17:57:55 2011) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [puser1] from [LDAP] (Mon Apr 18 17:57:55 2011) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/LDAP/puser1] (Mon Apr 18 17:57:55 2011) [sssd[nss]] [nss_cmd_getpwnam_search] (2): User [puser1] does not exist in [LDAP]! (negative cache) (Mon Apr 18 17:57:55 2011) [sssd[nss]] [client_recv] (5): Client disconnected! # rpm -qi sssd | head Name : sssd Relocations: (not relocatable) Version : 1.5.1 Vendor: Red Hat, Inc. Release : 30.el6 Build Date: Fri 15 Apr 2011 09:37:47 PM IST Install Date: Mon 18 Apr 2011 05:36:41 PM IST Build Host: x86-005.build.bos.redhat.com Group : Applications/System Source RPM: sssd-1.5.1-30.el6.src.rpm Size : 3464053 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://fedorahosted.org/sssd/ Summary : System Security Services Daemon
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-0560.html