869678 – sssd not granting access for AD trusted user in HBAC rule

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 869678 - sssd not granting access for AD trusted user in HBAC rule

Summary: sssd not granting access for AD trusted user in HBAC rule

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-10-24 14:34 UTC by Scott Poore
Modified:	2020-05-02 17:03 UTC (History)
CC List:	7 users (show)
Fixed In Version:	sssd-1.9.2-11.el6
Doc Type:	Bug Fix
Doc Text:	No Documentation Needed
Clone Of:
Environment:
Last Closed:	2013-02-21 09:38:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
sssd log with kinit and ssh (121.82 KB, application/octet-stream) 2012-10-24 14:34 UTC, Scott Poore	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2646	0	None	closed	sssd not granting access for AD trusted user in HBAC rule	2020-09-29 07:01:18 UTC
Red Hat Product Errata	RHSA-2013:0508	0	normal	SHIPPED_LIVE	Low: sssd security, bug fix and enhancement update	2013-02-20 21:30:10 UTC

Description Scott Poore 2012-10-24 14:34:44 UTC

Created attachment 632827 [details]
sssd log with kinit and ssh

Description of problem:

I can't log into IPA client (running sssd) with an AD trusted user when there is an HBAC rule in place.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Setup IPA Master (rhel6-1)
2. Setup AD Server (w2k8r2-1) and create testgroup and testuser1 as member of testgroup
2.0.  ipa dnszone-add adtestdom.com --name-server=w2k8r2-1.adtestdom.com --admin-email="hostmaster" --forwarder=192.168.122.21 --forward-policy=only --force
2.1.  ipa-adtrust-install
2.2.  ipa trust-add adtestdom.com --admin Administrator --password
3. ipa group-add --desc='adtestdom.com testgroup external map' adtestdom_testgroup_external --external
4. ipa group-add --desc='adtestdom.com testgroup' adtestdom_testgroup
5. wbinfo -n "ADTESTDOM\testgroup"
6. ipa group-add-member adtestdom_testgroup_external --external S-1-5-21-1246088475-3077293710-2580964704-1132
7. ipa hbacrule-add --desc=test test
8. ipa hbacrule-add-host --hosts=rhel6-1.testrelm.com test
9. ipa hbacrule-add-sourcehost test --hosts=w2k8r2-3.adtestdom.com
note that the sourcehost will be ignored now so this shouldn't be necessary
10. ipa hbacrule-add-service --hbacsvcs=sshd  test
11. ipa hbacrule-add-user test --groups=adtestdom_testgroup
12. kinit testuser1
13. ssh -K -l testuser1 rhel6-1

Note that some of the above procedures were just taken from history so I hope I got it all there.
  
Actual results:

[root@rhel6-1 ~]# wbinfo -n "ADTESTDOM\testgroup"
S-1-5-21-1246088475-3077293710-2580964704-1132 SID_DOM_GROUP (2)

[root@rhel6-1 ~]# ipa group-show adtestdom_testgroup_external
  Group name: adtestdom_testgroup_external
  Description: adtestdom.com testgroup external map
  Member of groups: adtestdom_testgroup
  Indirect Member of HBAC rule: test
  External member: S-1-5-21-1246088475-3077293710-2580964704-1132

[root@rhel6-1 ~]# ipa group-show adtestdom_testgroup
  Group name: adtestdom_testgroup
  Description: adtestdom.com testgroup
  GID: 1277200031
  Member groups: adtestdom_testgroup_external
  Member of HBAC rule: test

[root@rhel6-1 ~]# ipa hbacrule-show test
  Rule name: test
  Description: test
  Enabled: TRUE
  User Groups: adtestdom_testgroup
  Hosts: rhel6-1.testrelm.com
  Services: sshd
  External host: w2k8r2-3.adtestdom.com

[root@rhel6-1 ~]# kinit testuser1
Password for testuser1: 

[root@rhel6-1 ~]# ssh -K -l testuser1 rhel6-1
Connection closed by UNKNOWN

[root@rhel6-1 ~]#

Expected results:

ssh works and logs user into host.

Additional info:

/var/log/sssd/sssd_testrelm.com.log entries:

(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_attrs_to_rule] (0x1000): Processing rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=adtestdom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com))

...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=adtestdom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com))

...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sysdb_search_groups] (0x2000): No such entry
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_user_attrs_to_rule] (0x2000): Added non-POSIX group [adtestdom_testgroup] to rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [test]

...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [test]
...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_host_attrs_to_rule] (0x2000): Added host [rhel6-1.testrelm.com] to rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL
...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_eval_user_element] (0x1000): No groups for [testuser1]
...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback] (0x0100): Sending result [6][adtestdom.com]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback] (0x0100): Sent result [6][adtestdom.com]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sdap_process_result] (0x2000): Trace: sh[0x1e2e710], connected[1], ops[(nil)], ldap[0x1e37040]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Wed Oct 24 09:11:58 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): dbus conn: 1E00180
(Wed Oct 24 09:11:58 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): Dispatching.

Comment 2 Scott Poore 2012-10-24 15:19:45 UTC

Not after step 4 you need to do this:

ipa group-add-members adtestdom_testgroup --groups=adtestdom_testgroup_external

Comment 3 Scott Poore 2012-10-24 16:06:38 UTC

Here's a little more info...not sure if it helps:

So, SSSD HBAC matching was searching for this?

(Wed Oct 24 11:53:28 2012) [sssd[be[testrelm.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=adtestdom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com))

But couldn't find it?

(Wed Oct 24 11:53:28 2012) [sssd[be[testrelm.com]]] [sysdb_search_groups] (0x2000): No such entry


Here's what I see in LDAP:

[root@rhel6-1 ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=adtestdom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com"
dn: cn=adtestdom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com
member: cn=adtestdom_testgroup_external,cn=groups,cn=accounts,dc=testrelm,dc=c
 om
memberOf: ipauniqueid=1d777416-1d85-11e2-845c-525400555d2f,cn=hbac,dc=testrelm
 ,dc=com
ipaNTSecurityIdentifier: S-1-5-21-1941887706-3747460317-4235707753-1031
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
description: adtestdom.com testgroup
cn: adtestdom_testgroup
ipaUniqueID: 2c390d9c-1ddb-11e2-89d3-525400555d2f
gidNumber: 1277200031

[root@rhel6-1 ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=adtestdom_testgroup_external,cn=groups,cn=accounts,dc=testrelm,dc=com"
dn: cn=adtestdom_testgroup_external,cn=groups,cn=accounts,dc=testrelm,dc=com
memberOf: cn=adtestdom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com
memberOf: ipauniqueid=1d777416-1d85-11e2-845c-525400555d2f,cn=hbac,dc=testrelm
 ,dc=com
ipaExternalMember: S-1-5-21-1246088475-3077293710-2580964704-1132
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: ipaexternalgroup
description: adtestdom.com testgroup external map
cn: adtestdom_testgroup_external
ipaUniqueID: 215ec470-1ddb-11e2-8cdf-525400555d2f

But, looking close at the filter SSSD log mentioned, the group doesn't have a group objectClass set?

[root@rhel6-1 ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=adtestdom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com" objectclass=group
[root@rhel6-1 ~]# 

If I create a new group though it doens't either?

[root@rhel6-1 ~]# ipa group-add --desc=test testlocal
-----------------------
Added group "testlocal"
-----------------------
  Group name: testlocal
  Description: test
  GID: 1277200032

[root@rhel6-1 ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=testlocal,cn=groups,cn=accounts,dc=testrelm,dc=com" objectclass=group

[root@rhel6-1 ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=testlocal,cn=groups,cn=accounts,dc=testrelm,dc=com"
dn: cn=testlocal,cn=groups,cn=accounts,dc=testrelm,dc=com
ipaNTSecurityIdentifier: S-1-5-21-1941887706-3747460317-4235707753-1032
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
description: test
cn: testlocal
ipaUniqueID: 7fb4a454-1df4-11e2-8217-525400555d2f
gidNumber: 1277200032

So, is this a problem with how groups are getting created/set or how the SSSD HBAC filtering is occurring?  Or something else altogether?

Comment 4 Sumit Bose 2012-10-24 16:35:57 UTC

Sorry, you are looking at two different directory trees. The search filter "(&(objectclass=group)(originalDN=cn=adtestdom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com))" is for the local sssd cache, not for the LDAP server. You can see this by the sysdb_ prefix in the name of the function. The local sssd cache is organized as a directory tree, but is not a copy of the tree of the LDAP server.

You can use 'ldbsearch H /var/lib/sss/db/cache_testrelm.com.ldb <filter>' to search the local cache.

Comment 5 Scott Poore 2012-10-24 16:45:42 UTC

Ah, ok.

[root@rhel6-1 ~]# ldbsearch -H /var/lib/sss/db/cache_testrelm.com.ldb "(&(objectclass=group)(originalDN=cn=adtestdom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com))"
asq: Unable to register control with rootdse!
# record 1
dn: name=adtestdom_testgroup,cn=groups,cn=testrelm.com,cn=sysdb
createTimestamp: 1351091602
gidNumber: 1277200031
name: adtestdom_testgroup
objectClass: group
isPosix: TRUE
originalDN: cn=adtestdom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com
originalModifyTimestamp: 20121024131126Z
entryUSN: 1405
lastUpdate: 1351091602
dataExpireTimestamp: 1351097002
member: name=testuser1,cn=users,cn=adtestdom.com,cn=sysdb
memberuid: testuser1
distinguishedName: name=adtestdom_testgroup,cn=groups,cn=testrelm.com,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals

Comment 6 Stephen Gallagher 2012-10-24 17:16:37 UTC

Ok, I dug into this today and found the root cause.

The relevant line from the log is this:
(Wed Oct 24 10:33:23 2012) [sssd[be[testrelm.com]]] [hbac_eval_user_element] (0x1000): No groups for [testuser1]

Reading the source, the only way this can happen is if the user has no "originalMemberOf" attributes in the sysdb cache. We look for this attribute as a way to "cheat" and shortcut lookups for groups the user belongs to.

For FreeIPA users (those that aren't coming from trust relationships), we have a guarantee that the LDAP entry for the user will contain memberOf attributes for ALL objects for which the use is a member. We then use some hackish DN comparisons to narrow that list down to actual group objects.

However, when users are added to our cache through the trust lookup, they are not coming from LDAP and therefore do not have the originalMemberOf attribute. As a result, the user appears to be a member of no groups, and thus they do not pass HBAC rules requiring group membership. The cache does have correct links to the FreeIPA groups, though.

There are two ways we could solve this bug that I see.

1) When saving the user, we could add "fake" originalMemberOf attributes by copying in the originalMemberOf attributes from any of the FreeIPA groups that the trust relationship is providing us. Then when we get to the HBAC code, we'll just proceed like we do for native users. The limitation of this approach is that it will be tricky and may require additional lookups to the FreeIPA server if the groups are not cached (since we need the complete set of their parent hierarchy)

2) When saving a trusted domain user, we can instead add an extra "objectClass: trusted_domain_user". When we get to the HBAC code, we can key on this for whether we need to follow the memberOf hierarchy instead of the originalMemberOf hierarchy.

Another thing to keep in mind is whether we want to support HBAC rules referencing groups from the trusted domain or only native FreeIPA groups. Supporting only FreeIPA groups is *much* simpler.

Comment 7 Sumit Bose 2012-10-24 18:24:32 UTC

Stephen, thank you for the analysis. I think I will take the second way. Only native groups are supported but you can add groups from trusted domain via external groups to native groups.

Comment 8 Jakub Hrozek 2012-10-25 09:38:45 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1604

Comment 10 Scott Poore 2012-11-12 22:02:47 UTC

Verified.

Version ::

Manual Test Results ::

<previously created groups>

[root@rhel6-1 log]# ipa group-show adtestdom_testgroup
  Group name: adtestdom_testgroup
  Description: adtestdom.com testgroup
  GID: 270000004
  Member groups: adtestdom_testgroup_external

[root@rhel6-1 log]# ipa group-show adtestdom_testgroup_external
  Group name: adtestdom_testgroup_external
  Description: adtestdom.com testgroup external map
  Member of groups: adtestdom_testgroup
  External member: S-1-5-21-1246088475-3077293710-2580964704-1135

[root@rhel6-1 log]# wbinfo -n "ADTESTDOM\adtestuser1"
S-1-5-21-1246088475-3077293710-2580964704-1136 SID_USER (1)

[root@rhel6-1 log]# wbinfo --user-sids S-1-5-21-1246088475-3077293710-2580964704-1136
S-1-5-21-1246088475-3077293710-2580964704-1136
S-1-5-21-1246088475-3077293710-2580964704-513
S-1-5-21-1246088475-3077293710-2580964704-1135

[root@rhel6-1 log]# wbinfo -s S-1-5-21-1246088475-3077293710-2580964704-1136
ADTESTDOM\adtestuser1 1

[root@rhel6-1 log]# wbinfo -s S-1-5-21-1246088475-3077293710-2580964704-513
ADTESTDOM\Domain Users 2

[root@rhel6-1 log]# wbinfo -s S-1-5-21-1246088475-3077293710-2580964704-1135
ADTESTDOM\adtestgroup1 2

[root@rhel6-1 log]# ipa hbacrule-add --desc=test test
----------------------
Added HBAC rule "test"
----------------------
  Rule name: test
  Description: test
  Enabled: TRUE

[root@rhel6-1 log]# ipa hbacrule-add-service --hbacsvcs=sshd  test
  Rule name: test
  Description: test
  Enabled: TRUE
  Services: sshd
-------------------------
Number of members added 1
-------------------------

[root@rhel6-1 log]# ipa hbacrule-add-user test --groups=adtestdom_testgroup
  Rule name: test
  Description: test
  Enabled: TRUE
  User Groups: adtestdom_testgroup
  Services: sshd
-------------------------
Number of members added 1
-------------------------

[root@rhel6-1 log]# ipa hbacrule-add-host --hosts=rhel6-1.testrelm.com test
  Rule name: test
  Description: test
  Enabled: TRUE
  User Groups: adtestdom_testgroup
  Hosts: rhel6-1.testrelm.com
  Services: sshd
-------------------------
Number of members added 1
-------------------------

[root@rhel6-1 log]# ipa hbacrule-disable allow_all
------------------------------
Disabled HBAC rule "allow_all"
------------------------------

[root@rhel6-1 log]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
11/12/12 16:55:03  11/13/12 16:55:01  krbtgt/TESTRELM.COM
11/12/12 16:55:04  11/13/12 16:55:01  HTTP/rhel6-1.testrelm.com

[root@rhel6-1 log]# kinit adtestuser1
Password for adtestuser1: 

[root@rhel6-1 log]# ssh -K -l adtestuser1 rhel6-1.testrelm.com
Last login: Mon Nov 12 16:07:22 2012 from rhel6-1.testrelm.com

-sh-4.1$ exit
logout
Connection to rhel6-1.testrelm.com closed.

[root@rhel6-1 log]# ssh -K -l adtestuser1 rhel6-2.testrelm.com
Connection closed by UNKNOWN

So, looks like it allows me to login where expected and denies where expected.

Comment 11 errata-xmlrpc 2013-02-21 09:38:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html

Note You need to log in before you can comment on or make changes to this bug.