Bug 841677
| Summary: | hbac rules fail sssd | ipa | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | vmarceloe | ||||||
| Component: | sssd | Assignee: | Stephen Gallagher <sgallagh> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 5.8 | CC: | chhudson, cww, dpal, grajaiya, jgalipea, jhrozek, spoore | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | sssd-1.5.1-57.el5 | Doc Type: | Bug Fix | ||||||
| Doc Text: |
Cause: The version of SSSD shipped in RHEL5.8 did not contain the option to disable source hosts processing.
Consequence: If the IPA server contained a large number of hosts, the LDAP query that was retrieving them would hit the administration limit of the LDAP server and abort
Fix: The ipa_hbac_support_srchost option was backported, defaulting to "False" (do not support source hosts)
Result: HBAC works even for clients that are connecting to a very large database
|
Story Points: | --- | ||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2013-01-08 07:24:24 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 743405 | ||||||||
| Attachments: |
|
||||||||
|
Description
vmarceloe
2012-07-19 20:26:51 UTC
Created attachment 599235 [details]
SSSD log, sshd login attempt transaction
Can you please raise the debug_level in the "[domain/testdomain.com]" section to 8, restart the SSSD and run your test again? This log message: ---- (Thu Jul 19 15:13:37 2012) [sssd[be[testdomain.com]]] [sdap_get_generic_done] (2): Unexpected result from ldap: Size limit exceeded(4), (null) ---- Is indicating that one of the searches performed returned more entries than a single search page allows, but without more debug info it's hard to tell which one. The default page size is 1000 entries, can you try setting it to a higher number? This debug message: --- (Thu Jul 19 15:13:37 2012) [sssd[be[testdomain.com]]] [hbac_get_rule_info_step] (1): Could not locate IPA host ---- Tells that there was an IPA host that lacks the FQDN attribute. That's quite strange, because the attribute is part of the RDN. Maybe the search results were not correct after SSSD hit the size limit. More verbose debug logs should shed more light. Created attachment 599394 [details]
sssd log, debug level 8
Increased page size to 10000 and setup debug level 8 (In reply to comment #3) > Created attachment 599394 [details] > sssd log, debug level 8 How many hosts do you have stored on your IPA server? I have around 9000+ hosts on it and will probably need to add around the same amount of users from corporate AD. The strange thing is that this works fine in rhel 6.3 clients. I'll set up a similarly big test environment on RHEL5 during today in order to reproduce the issue locally. So it looks like what happened here is that he hit the upper limit on his LDAP server when trying to download the full list of hosts for srchost processing. What I think we need to do is backport the patches that disabled srchost processing in SSSD by default so that we can skip this massive lookup. A non-exhaustive list of the patches involved: * 6fb75e297bf7fc83e3db1f5ae8560624656ef319 * 74f857536411b46712f9b3dc0f1c53924b36dc02 There may be others, but these are definitely necessary. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. IPA functional HBAC tests cover the fix in RHEL 6, porting to be able to run against RHEL 5 client is completed. Verified.
Version::
sssd-1.5.1-58.el5
Manual Verification::
vm1 = RHEL6.3 MASTER
vm2 = RHEL5.9 CLIENT
vm3 = RHEL5.9 CLIENT
[root@vm2 sssd]# yum update sssd
...
Updated:
sssd.x86_64 0:1.5.1-58.el5
Dependency Updated:
libipa_hbac.x86_64 0:1.5.1-58.el5 sssd-client.x86_64 0:1.5.1-58.el5
Complete!
[root@vm2 ~]# man sssd-ipa|cat|col -bx | grep "ipa_hbac_support_srchost.*(boolean)"
ipa_hbac_support_srchost (boolean)
[root@vm3 ~]# yum update sssd
...
Updated:
sssd.x86_64 0:1.5.1-58.el5
Dependency Updated:
libipa_hbac.x86_64 0:1.5.1-58.el5 sssd-client.x86_64 0:1.5.1-58.el5
[root@vm1 ~]# ipa user-add user841677 --first=first --last=last
-----------------------
Added user "user841677"
-----------------------
User login: user841677
First name: first
Last name: last
Full name: first last
Display name: first last
Initials: fl
Home directory: /home/user841677
GECOS field: first last
Login shell: /bin/sh
Kerberos principal: user841677
UID: 664600012
GID: 664600012
Password: False
Kerberos keys available: False
[root@vm1 ~]# ipa passwd user841677
New Password:
Enter New Password again to verify:
----------------------------------------------
Changed password for "user841677"
----------------------------------------------
[root@vm1 ~]# kinit user841677
Password for user841677:
Password expired. You must change it now.
Enter new password:
Enter it again:
[root@vm1 ~]# kinit admin
Password for admin:
[root@vm1 ~]# ipa hbacrule-add rule841677
----------------------------
Added HBAC rule "rule841677"
----------------------------
Rule name: rule841677
Enabled: TRUE
[root@vm1 ~]# ipa hbacrule-add-service rule841677 --hbacsvcs=sshd
Rule name: rule841677
Enabled: TRUE
Services: sshd
-------------------------
Number of members added 1
-------------------------
[root@vm1 ~]# ipa hbacrule-add-user rule841677 --users=user841677
Rule name: rule841677
Enabled: TRUE
Users: user841677
Services: sshd
-------------------------
Number of members added 1
-------------------------
[root@vm1 ~]# ipa hbacrule-add-host rule841677 --hosts=vm2.testrelm.com
Rule name: rule841677
Enabled: TRUE
Users: user841677
Hosts: vm2.testrelm.com
Services: sshd
-------------------------
Number of members added 1
-------------------------
[root@vm1 ~]# ipa hbacrule-add-sourcehost rule841677 --hosts=vm1.testrelm.com,vm2.testrelm.com
Rule name: rule841677
Enabled: TRUE
Users: user841677
Hosts: vm2.testrelm.com
Source Hosts: vm1.testrelm.com, vm2.testrelm.com
Services: sshd
-------------------------
Number of members added 2
-------------------------
[root@vm1 ~]# ssh user841677.com "hostname"
The authenticity of host 'vm2.testrelm.com (192.168.122.102)' can't be established.
RSA key fingerprint is 94:d8:41:6c:cf:a8:1e:63:bb:52:d5:db:86:0f:a3:92.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'vm2.testrelm.com,192.168.122.102' (RSA) to the list of known hosts.
user841677.com's password:
vm2.testrelm.com
[root@vm2 ~]# ssh user841677.com "hostname"
user841677.com's password:
vm2.testrelm.com
[root@vm3 ~]# ssh user841677.com "hostname"
user841677.com's password:
vm2.testrelm.com
# So, vm3 was not included as a srchost in the rule841677 but, the ssh was allowed from there. Thus, it looks like this passed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0047.html |