Hide Forgot
Description of problem: IPA Back End :: Source host processing is very costly (it requires us to retrieve the complete list of hosts from the FreeIPA server) and it's inherently unreliable (due to the fact that there is no PAM standard for what applications will send us in the srchost field). We should add a new option, ipa_hbac_support_srchost that will default to False. If this option is false, we will perform a much simpler host lookup (just the current host and its parents). This will significantly improve login performance in environments with large numbers of hosts. When it's false, we should also modify rules we retrieve to treat srchost as category = ALL (thus meaning it will always match). Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Upstream Ticket https://fedorahosted.org/sssd/ticket/1078
Upstream ticket: https://fedorahosted.org/sssd/ticket/1078
verified :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-hbacsvc-client-bug766876: ipa_hbac_support_srchost is set to false - Case 1 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Kinit as admin user :: [ PASS ] :: Running 'getent -s sss passwd user766876' :: [ PASS ] :: Authentication successful for user766876, as expected :: [ PASS ] :: Running 'ssh_auth_success user766876 testpw123 beast.testrelm.com' :: [ LOG ] :: Duration: 15s :: [ LOG ] :: Assertions: 4 good, 0 bad :: [ PASS ] :: RESULT: ipa-hbacsvc-client-bug766876: ipa_hbac_support_srchost is set to false - Case 1 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-hbacsvc-client-bug766876_2: ipa_hbac_support_srchost is set to true - Case 2 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Kinit as admin user :: [ PASS ] :: Running 'cat /etc/sssd/sssd.conf' :: [ PASS ] :: Running 'cat /etc/sssd/sssd.conf' :: [ PASS ] :: Clearing cache :: [ PASS ] :: Running 'service sssd restart' :: [ LOG ] :: Verifies https://bugzilla.redhat.com/show_bug.cgi?id=798317 :: [ PASS ] :: Authentication successful for user766876, as expected :: [ PASS ] :: Running 'ssh_auth_success user766876 testpw123 beast.testrelm.com' :: [ PASS ] :: Running 'sed -i 's/ipa_hbac_support_srchost = true/ipa_hbac_support_srchost = false/g' /etc/sssd/sssd.conf' :: [ PASS ] :: Running 'service sssd restart' :: [ LOG ] :: Duration: 28s :: [ LOG ] :: Assertions: 9 good, 0 bad :: [ PASS ] :: RESULT: ipa-hbacsvc-client-bug766876_2: ipa_hbac_support_srchost is set to true - Case 2 version :: ipa-client.i686 0:2.2.0-13.el6 ipa-server.i686 0:2.2.0-13.el6
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: Evaluation of srchost HBAC rules was never reliable, because it depended on the application talking to SSSD to send the srchost string in an appropriate manner. There was no standardized representation for this, so some apps would send a hostname, some an FQDN, others an IP address and yet others would just pass on whatever the remote machine named itself. Consequence: Srchost rules are impossible to evaluate properly in a consistent manner. Additionally, evaluating srchost rules causes a significant performance impact on logins as it requires repeated lookups against the FreeIPA server for information about all possible hosts that might be logging in. Change: SSSD will now ignore srchost rules in HBAC processing by default. Result: HBAC rule processing is now much faster, along with being more predictable.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0747.html