Bug 696979 - [REGRESSION] Filters not honoured against fully-qualified users.
Summary: [REGRESSION] Filters not honoured against fully-qualified users.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sssd
Version: 5.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Stephen Gallagher
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On: 696972
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-04-15 13:42 UTC by Stephen Gallagher
Modified: 2015-01-04 23:48 UTC (History)
7 users (show)

Fixed In Version: sssd-1.5.1-30.el5
Doc Type: Bug Fix
Doc Text:
Clone Of: 696972
Environment:
Last Closed: 2011-07-21 08:10:24 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0975 0 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2011-07-21 08:09:03 UTC

Comment 3 Kaushik Banerjee 2011-05-24 17:22:06 UTC 
1. sssd configuration as:
# cat /etc/sssd/sssd.conf 
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default

[nss]
filter_groups = root, Group1
filter_users = root, puser1
reconnection_retries = 3
debug_level = 9

[pam]
reconnection_retries = 3

[domain/default]
debug_level = 9
id_provider = ldap
ldap_uri = ldap://cobra.lab.eng.pnq.redhat.com
ldap_search_base = dc=example,dc=com
auth_provider = ldap
ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc

2. Enumerate the filtered user and group.
# getent -s sss passwd puser1@default
#
# getent -s sss group Group1@default
# 

User and group not enumerated as expected.

3. Auth and execute remote command.
# ssh -l puser1@default localhost uname -a
puser1@default@localhost's password: 
Permission denied, please try again.
puser1@default@localhost's password: 

4. tail -f /var/log/sssd/sssd_nss.log
(Tue May 24 22:47:36 2011) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [puser1] from [default]
(Tue May 24 22:47:36 2011) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/default/puser1]
(Tue May 24 22:47:36 2011) [sssd[nss]] [nss_cmd_getpwnam_search] (2): User [puser1] does not exist in [default]! (negative cache)
(Tue May 24 22:47:36 2011) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [puser1] from [default]
(Tue May 24 22:47:36 2011) [sssd[nss]] [sss_ncache_check_str] (8): Checking negative cache for [NCE/USER/default/puser1]
(Tue May 24 22:47:36 2011) [sssd[nss]] [nss_cmd_getpwnam_search] (2): User [puser1] does not exist in [default]! (negative cache)


Verified in version:
# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 34.el5                        Build Date: Tue 03 May 2011 10:46:07 PM IST
Install Date: Tue 10 May 2011 01:20:13 AM IST      Build Host: x86-003.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-34.el5.src.rpm
Size        : 3486753                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 4 errata-xmlrpc 2011-07-21 08:10:24 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0975.html
Note You need to log in before you can comment on or make changes to this bug.