Bug 841677 - hbac rules fail sssd | ipa
hbac rules fail sssd | ipa
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sssd (Show other bugs)
5.8
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Stephen Gallagher
Kaushik Banerjee
:
Depends On:
Blocks: 743405
  Show dependency treegraph
 
Reported: 2012-07-19 16:26 EDT by vmarceloe
Modified: 2013-01-08 02:24 EST (History)
7 users (show)

See Also:
Fixed In Version: sssd-1.5.1-57.el5
Doc Type: Bug Fix
Doc Text:
Cause: The version of SSSD shipped in RHEL5.8 did not contain the option to disable source hosts processing. Consequence: If the IPA server contained a large number of hosts, the LDAP query that was retrieving them would hit the administration limit of the LDAP server and abort Fix: The ipa_hbac_support_srchost option was backported, defaulting to "False" (do not support source hosts) Result: HBAC works even for clients that are connecting to a very large database
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-08 02:24:24 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SSSD log, sshd login attempt transaction (7.41 KB, text/plain)
2012-07-19 16:27 EDT, vmarceloe
no flags Details
sssd log, debug level 8 (545.76 KB, text/plain)
2012-07-20 09:35 EDT, vmarceloe
no flags Details

  None (edit)
Description vmarceloe 2012-07-19 16:26:51 EDT
Description of problem:
RHEL 5.8 x86_64 client can't authenticate users due to what seem like failed hbac lookups.

IPA server:
RHEL 6.3 x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64

[root@ipa1 ~]# ipa hbacrule-show --all
Rule name: testgroup
  dn: ipauniqueid=22890f82-d046-11e1-b445-005056b005e3,cn=hbac,dc=testdomain,dc=com
  Rule name: testgroup
  Source host category: all
  Service category: all
  Description: Get there users can only access get there servers
  Enabled: TRUE
  Users: marcelo
  Hosts: sandbox5.testdomain.com, sandbox6.testdomain.com
  accessruletype: allow
  ipauniqueid: 22890f82-d046-11e1-b445-005056b005e3
  objectclass: ipaassociation, ipahbacrule


Client:
RHEL 5.9 x86_64
sssd-client-1.5.1-49.el5_8.1
sssd-1.5.1-49.el5_8.1

How reproducible:
Always

Steps to Reproduce:
1. Create a hbac rule specifying user and hosts for allowing access, any service, from any host
2. Try to login to a 5.8 redhat client 
3. Fail
  
Actual results:
Connection closed by 10.14.53.11


Expected results:
Being able to access the system.

Additional info:
Same configuration in IPA works on 6.x clients.
Comment 1 vmarceloe 2012-07-19 16:27:50 EDT
Created attachment 599235 [details]
SSSD log, sshd login attempt transaction
Comment 2 Jakub Hrozek 2012-07-20 05:32:01 EDT
Can you please raise the debug_level in the "[domain/testdomain.com]" section to 8, restart the SSSD and run your test again?

This log message:
----
(Thu Jul 19 15:13:37 2012) [sssd[be[testdomain.com]]] [sdap_get_generic_done] (2): Unexpected result from ldap: Size limit exceeded(4), (null)
----

Is indicating that one of the searches performed returned more entries than a single search page allows, but without more debug info it's hard to tell which one.

The default page size is 1000 entries, can you try setting it to a higher number?

This debug message:
---
(Thu Jul 19 15:13:37 2012) [sssd[be[testdomain.com]]] [hbac_get_rule_info_step] (1): Could not locate IPA host
----

Tells that there was an IPA host that lacks the FQDN attribute. That's quite strange, because the attribute is part of the RDN. Maybe the search results were not correct after SSSD hit the size limit.

More verbose debug logs should shed more light.
Comment 3 vmarceloe 2012-07-20 09:35:38 EDT
Created attachment 599394 [details]
sssd log, debug level 8
Comment 4 vmarceloe 2012-07-20 09:40:54 EDT
Increased page size to 10000 and setup debug level 8

(In reply to comment #3)
> Created attachment 599394 [details]
> sssd log, debug level 8
Comment 5 Jakub Hrozek 2012-07-20 10:13:49 EDT
How many hosts do you have stored on your IPA server?
Comment 6 vmarceloe 2012-07-20 10:16:52 EDT
I have around 9000+ hosts on it and will probably need to add around the same amount of users from corporate AD. The strange thing is that this works fine in rhel 6.3 clients.
Comment 7 Jakub Hrozek 2012-07-23 05:52:30 EDT
I'll set up a similarly big test environment on RHEL5 during today in order to reproduce the issue locally.
Comment 8 Stephen Gallagher 2012-08-07 15:53:14 EDT
So it looks like what happened here is that he hit the upper limit on his LDAP server when trying to download the full list of hosts for srchost processing.

What I think we need to do is backport the patches that disabled srchost processing in SSSD by default so that we can skip this massive lookup.

A non-exhaustive list of the patches involved:

 * 6fb75e297bf7fc83e3db1f5ae8560624656ef319
 * 74f857536411b46712f9b3dc0f1c53924b36dc02


There may be others, but these are definitely necessary.
Comment 9 RHEL Product and Program Management 2012-08-07 16:08:56 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 10 Jenny Galipeau 2012-08-10 09:39:25 EDT
IPA functional HBAC tests cover the fix in RHEL 6, porting to be able to run against RHEL 5 client is completed.
Comment 15 Scott Poore 2012-09-05 12:53:17 EDT
Verified.

Version::
sssd-1.5.1-58.el5

Manual Verification::

vm1 = RHEL6.3 MASTER
vm2 = RHEL5.9 CLIENT
vm3 = RHEL5.9 CLIENT

[root@vm2 sssd]# yum update sssd
...
Updated:
  sssd.x86_64 0:1.5.1-58.el5

Dependency Updated:
  libipa_hbac.x86_64 0:1.5.1-58.el5                        sssd-client.x86_64 0:1.5.1-58.el5                       

Complete!

[root@vm2 ~]# man sssd-ipa|cat|col -bx | grep "ipa_hbac_support_srchost.*(boolean)"
       ipa_hbac_support_srchost (boolean)

[root@vm3 ~]# yum update sssd
...
Updated:
  sssd.x86_64 0:1.5.1-58.el5

Dependency Updated:
  libipa_hbac.x86_64 0:1.5.1-58.el5       sssd-client.x86_64 0:1.5.1-58.el5

[root@vm1 ~]# ipa user-add user841677 --first=first --last=last
-----------------------
Added user "user841677"
-----------------------
  User login: user841677
  First name: first
  Last name: last
  Full name: first last
  Display name: first last
  Initials: fl
  Home directory: /home/user841677
  GECOS field: first last
  Login shell: /bin/sh
  Kerberos principal: user841677@TESTRELM.COM
  UID: 664600012
  GID: 664600012
  Password: False
  Kerberos keys available: False

[root@vm1 ~]# ipa passwd user841677
New Password: 
Enter New Password again to verify: 
----------------------------------------------
Changed password for "user841677@TESTRELM.COM"
----------------------------------------------

[root@vm1 ~]# kinit user841677
Password for user841677@TESTRELM.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@vm1 ~]# kinit admin
Password for admin@TESTRELM.COM: 

[root@vm1 ~]# ipa hbacrule-add rule841677
----------------------------
Added HBAC rule "rule841677"
----------------------------
  Rule name: rule841677
  Enabled: TRUE

[root@vm1 ~]# ipa hbacrule-add-service rule841677 --hbacsvcs=sshd
  Rule name: rule841677
  Enabled: TRUE
  Services: sshd
-------------------------
Number of members added 1
-------------------------

[root@vm1 ~]# ipa hbacrule-add-user rule841677 --users=user841677
  Rule name: rule841677
  Enabled: TRUE
  Users: user841677
  Services: sshd
-------------------------
Number of members added 1
-------------------------

[root@vm1 ~]# ipa hbacrule-add-host rule841677 --hosts=vm2.testrelm.com
  Rule name: rule841677
  Enabled: TRUE
  Users: user841677
  Hosts: vm2.testrelm.com
  Services: sshd
-------------------------
Number of members added 1
-------------------------

[root@vm1 ~]# ipa hbacrule-add-sourcehost rule841677 --hosts=vm1.testrelm.com,vm2.testrelm.com
  Rule name: rule841677
  Enabled: TRUE
  Users: user841677
  Hosts: vm2.testrelm.com
  Source Hosts: vm1.testrelm.com, vm2.testrelm.com
  Services: sshd
-------------------------
Number of members added 2
-------------------------

[root@vm1 ~]# ssh user841677@vm2.testrelm.com "hostname"
The authenticity of host 'vm2.testrelm.com (192.168.122.102)' can't be established.
RSA key fingerprint is 94:d8:41:6c:cf:a8:1e:63:bb:52:d5:db:86:0f:a3:92.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'vm2.testrelm.com,192.168.122.102' (RSA) to the list of known hosts.
user841677@vm2.testrelm.com's password: 
vm2.testrelm.com

[root@vm2 ~]# ssh user841677@vm2.testrelm.com "hostname"
user841677@vm2.testrelm.com's password: 
vm2.testrelm.com

[root@vm3 ~]# ssh user841677@vm2.testrelm.com "hostname"
user841677@vm2.testrelm.com's password: 
vm2.testrelm.com

# So, vm3 was not included as a srchost in the rule841677 but, the ssh was allowed from there.  Thus, it looks like this passed.
Comment 17 errata-xmlrpc 2013-01-08 02:24:24 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0047.html

Note You need to log in before you can comment on or make changes to this bug.