Bug 869678 - sssd not granting access for AD trusted user in HBAC rule
sssd not granting access for AD trusted user in HBAC rule
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.4
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-24 10:34 EDT by Scott Poore
Modified: 2013-04-05 08:48 EDT (History)
7 users (show)

See Also:
Fixed In Version: sssd-1.9.2-11.el6
Doc Type: Bug Fix
Doc Text:
No Documentation Needed
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 04:38:24 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
sssd log with kinit and ssh (121.82 KB, application/octet-stream)
2012-10-24 10:34 EDT, Scott Poore
no flags Details

  None (edit)
Description Scott Poore 2012-10-24 10:34:44 EDT
Created attachment 632827 [details]
sssd log with kinit and ssh

Description of problem:

I can't log into IPA client (running sssd) with an AD trusted user when there is an HBAC rule in place.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Setup IPA Master (rhel6-1)
2. Setup AD Server (w2k8r2-1) and create testgroup and testuser1 as member of testgroup
2.0.  ipa dnszone-add adtestdom.com --name-server=w2k8r2-1.adtestdom.com --admin-email="hostmaster@adtestdom.com" --forwarder=192.168.122.21 --forward-policy=only --force
2.1.  ipa-adtrust-install
2.2.  ipa trust-add adtestdom.com --admin Administrator --password
3. ipa group-add --desc='adtestdom.com testgroup external map' adtestdom_testgroup_external --external
4. ipa group-add --desc='adtestdom.com testgroup' adtestdom_testgroup
5. wbinfo -n "ADTESTDOM\testgroup"
6. ipa group-add-member adtestdom_testgroup_external --external S-1-5-21-1246088475-3077293710-2580964704-1132
7. ipa hbacrule-add --desc=test test
8. ipa hbacrule-add-host --hosts=rhel6-1.testrelm.com test
9. ipa hbacrule-add-sourcehost test --hosts=w2k8r2-3.adtestdom.com
note that the sourcehost will be ignored now so this shouldn't be necessary
10. ipa hbacrule-add-service --hbacsvcs=sshd  test
11. ipa hbacrule-add-user test --groups=adtestdom_testgroup
12. kinit testuser1@ADTESTDOM.COM
13. ssh -K -l testuser1@adtestdom.com rhel6-1

Note that some of the above procedures were just taken from history so I hope I got it all there.
  
Actual results:

[root@rhel6-1 ~]# wbinfo -n "ADTESTDOM\testgroup"
S-1-5-21-1246088475-3077293710-2580964704-1132 SID_DOM_GROUP (2)

[root@rhel6-1 ~]# ipa group-show adtestdom_testgroup_external
  Group name: adtestdom_testgroup_external
  Description: adtestdom.com testgroup external map
  Member of groups: adtestdom_testgroup
  Indirect Member of HBAC rule: test
  External member: S-1-5-21-1246088475-3077293710-2580964704-1132

[root@rhel6-1 ~]# ipa group-show adtestdom_testgroup
  Group name: adtestdom_testgroup
  Description: adtestdom.com testgroup
  GID: 1277200031
  Member groups: adtestdom_testgroup_external
  Member of HBAC rule: test

[root@rhel6-1 ~]# ipa hbacrule-show test
  Rule name: test
  Description: test
  Enabled: TRUE
  User Groups: adtestdom_testgroup
  Hosts: rhel6-1.testrelm.com
  Services: sshd
  External host: w2k8r2-3.adtestdom.com

[root@rhel6-1 ~]# kinit testuser1@ADTESTDOM.COM
Password for testuser1@ADTESTDOM.COM: 

[root@rhel6-1 ~]# ssh -K -l testuser1@adtestdom.com rhel6-1
Connection closed by UNKNOWN

[root@rhel6-1 ~]#

Expected results:

ssh works and logs user into host.

Additional info:

/var/log/sssd/sssd_testrelm.com.log entries:

(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_attrs_to_rule] (0x1000): Processing rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=adtestdom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com))

...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=adtestdom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com))

...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sysdb_search_groups] (0x2000): No such entry
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_user_attrs_to_rule] (0x2000): Added non-POSIX group [adtestdom_testgroup] to rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [test]

...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [test]
...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_host_attrs_to_rule] (0x2000): Added host [rhel6-1.testrelm.com] to rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [test]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL
...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [hbac_eval_user_element] (0x1000): No groups for [testuser1]
...
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback] (0x0100): Sending result [6][adtestdom.com]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback] (0x0100): Sent result [6][adtestdom.com]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sdap_process_result] (0x2000): Trace: sh[0x1e2e710], connected[1], ops[(nil)], ldap[0x1e37040]
(Wed Oct 24 09:11:49 2012) [sssd[be[testrelm.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Wed Oct 24 09:11:58 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): dbus conn: 1E00180
(Wed Oct 24 09:11:58 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): Dispatching.
Comment 2 Scott Poore 2012-10-24 11:19:45 EDT
Not after step 4 you need to do this:

ipa group-add-members adtestdom_testgroup --groups=adtestdom_testgroup_external
Comment 3 Scott Poore 2012-10-24 12:06:38 EDT
Here's a little more info...not sure if it helps:

So, SSSD HBAC matching was searching for this?

(Wed Oct 24 11:53:28 2012) [sssd[be[testrelm.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=adtestdom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com))

But couldn't find it?

(Wed Oct 24 11:53:28 2012) [sssd[be[testrelm.com]]] [sysdb_search_groups] (0x2000): No such entry


Here's what I see in LDAP:

[root@rhel6-1 ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=adtestdom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com"
dn: cn=adtestdom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com
member: cn=adtestdom_testgroup_external,cn=groups,cn=accounts,dc=testrelm,dc=c
 om
memberOf: ipauniqueid=1d777416-1d85-11e2-845c-525400555d2f,cn=hbac,dc=testrelm
 ,dc=com
ipaNTSecurityIdentifier: S-1-5-21-1941887706-3747460317-4235707753-1031
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
description: adtestdom.com testgroup
cn: adtestdom_testgroup
ipaUniqueID: 2c390d9c-1ddb-11e2-89d3-525400555d2f
gidNumber: 1277200031

[root@rhel6-1 ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=adtestdom_testgroup_external,cn=groups,cn=accounts,dc=testrelm,dc=com"
dn: cn=adtestdom_testgroup_external,cn=groups,cn=accounts,dc=testrelm,dc=com
memberOf: cn=adtestdom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com
memberOf: ipauniqueid=1d777416-1d85-11e2-845c-525400555d2f,cn=hbac,dc=testrelm
 ,dc=com
ipaExternalMember: S-1-5-21-1246088475-3077293710-2580964704-1132
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: ipaexternalgroup
description: adtestdom.com testgroup external map
cn: adtestdom_testgroup_external
ipaUniqueID: 215ec470-1ddb-11e2-8cdf-525400555d2f

But, looking close at the filter SSSD log mentioned, the group doesn't have a group objectClass set?

[root@rhel6-1 ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=adtestdom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com" objectclass=group
[root@rhel6-1 ~]# 

If I create a new group though it doens't either?

[root@rhel6-1 ~]# ipa group-add --desc=test testlocal
-----------------------
Added group "testlocal"
-----------------------
  Group name: testlocal
  Description: test
  GID: 1277200032

[root@rhel6-1 ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=testlocal,cn=groups,cn=accounts,dc=testrelm,dc=com" objectclass=group

[root@rhel6-1 ~]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=testlocal,cn=groups,cn=accounts,dc=testrelm,dc=com"
dn: cn=testlocal,cn=groups,cn=accounts,dc=testrelm,dc=com
ipaNTSecurityIdentifier: S-1-5-21-1941887706-3747460317-4235707753-1032
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
description: test
cn: testlocal
ipaUniqueID: 7fb4a454-1df4-11e2-8217-525400555d2f
gidNumber: 1277200032

So, is this a problem with how groups are getting created/set or how the SSSD HBAC filtering is occurring?  Or something else altogether?
Comment 4 Sumit Bose 2012-10-24 12:35:57 EDT
Sorry, you are looking at two different directory trees. The search filter "(&(objectclass=group)(originalDN=cn=adtestdom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com))" is for the local sssd cache, not for the LDAP server. You can see this by the sysdb_ prefix in the name of the function. The local sssd cache is organized as a directory tree, but is not a copy of the tree of the LDAP server.

You can use 'ldbsearch H /var/lib/sss/db/cache_testrelm.com.ldb <filter>' to search the local cache.
Comment 5 Scott Poore 2012-10-24 12:45:42 EDT
Ah, ok.

[root@rhel6-1 ~]# ldbsearch -H /var/lib/sss/db/cache_testrelm.com.ldb "(&(objectclass=group)(originalDN=cn=adtestdom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com))"
asq: Unable to register control with rootdse!
# record 1
dn: name=adtestdom_testgroup,cn=groups,cn=testrelm.com,cn=sysdb
createTimestamp: 1351091602
gidNumber: 1277200031
name: adtestdom_testgroup
objectClass: group
isPosix: TRUE
originalDN: cn=adtestdom_testgroup,cn=groups,cn=accounts,dc=testrelm,dc=com
originalModifyTimestamp: 20121024131126Z
entryUSN: 1405
lastUpdate: 1351091602
dataExpireTimestamp: 1351097002
member: name=testuser1,cn=users,cn=adtestdom.com,cn=sysdb
memberuid: testuser1
distinguishedName: name=adtestdom_testgroup,cn=groups,cn=testrelm.com,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals
Comment 6 Stephen Gallagher 2012-10-24 13:16:37 EDT
Ok, I dug into this today and found the root cause.

The relevant line from the log is this:
(Wed Oct 24 10:33:23 2012) [sssd[be[testrelm.com]]] [hbac_eval_user_element] (0x1000): No groups for [testuser1]

Reading the source, the only way this can happen is if the user has no "originalMemberOf" attributes in the sysdb cache. We look for this attribute as a way to "cheat" and shortcut lookups for groups the user belongs to.

For FreeIPA users (those that aren't coming from trust relationships), we have a guarantee that the LDAP entry for the user will contain memberOf attributes for ALL objects for which the use is a member. We then use some hackish DN comparisons to narrow that list down to actual group objects.

However, when users are added to our cache through the trust lookup, they are not coming from LDAP and therefore do not have the originalMemberOf attribute. As a result, the user appears to be a member of no groups, and thus they do not pass HBAC rules requiring group membership. The cache does have correct links to the FreeIPA groups, though.

There are two ways we could solve this bug that I see.

1) When saving the user, we could add "fake" originalMemberOf attributes by copying in the originalMemberOf attributes from any of the FreeIPA groups that the trust relationship is providing us. Then when we get to the HBAC code, we'll just proceed like we do for native users. The limitation of this approach is that it will be tricky and may require additional lookups to the FreeIPA server if the groups are not cached (since we need the complete set of their parent hierarchy)

2) When saving a trusted domain user, we can instead add an extra "objectClass: trusted_domain_user". When we get to the HBAC code, we can key on this for whether we need to follow the memberOf hierarchy instead of the originalMemberOf hierarchy.

Another thing to keep in mind is whether we want to support HBAC rules referencing groups from the trusted domain or only native FreeIPA groups. Supporting only FreeIPA groups is *much* simpler.
Comment 7 Sumit Bose 2012-10-24 14:24:32 EDT
Stephen, thank you for the analysis. I think I will take the second way. Only native groups are supported but you can add groups from trusted domain via external groups to native groups.
Comment 8 Jakub Hrozek 2012-10-25 05:38:45 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1604
Comment 10 Scott Poore 2012-11-12 17:02:47 EST
Verified.

Version ::

Manual Test Results ::

<previously created groups>

[root@rhel6-1 log]# ipa group-show adtestdom_testgroup
  Group name: adtestdom_testgroup
  Description: adtestdom.com testgroup
  GID: 270000004
  Member groups: adtestdom_testgroup_external

[root@rhel6-1 log]# ipa group-show adtestdom_testgroup_external
  Group name: adtestdom_testgroup_external
  Description: adtestdom.com testgroup external map
  Member of groups: adtestdom_testgroup
  External member: S-1-5-21-1246088475-3077293710-2580964704-1135

[root@rhel6-1 log]# wbinfo -n "ADTESTDOM\adtestuser1"
S-1-5-21-1246088475-3077293710-2580964704-1136 SID_USER (1)

[root@rhel6-1 log]# wbinfo --user-sids S-1-5-21-1246088475-3077293710-2580964704-1136
S-1-5-21-1246088475-3077293710-2580964704-1136
S-1-5-21-1246088475-3077293710-2580964704-513
S-1-5-21-1246088475-3077293710-2580964704-1135

[root@rhel6-1 log]# wbinfo -s S-1-5-21-1246088475-3077293710-2580964704-1136
ADTESTDOM\adtestuser1 1

[root@rhel6-1 log]# wbinfo -s S-1-5-21-1246088475-3077293710-2580964704-513
ADTESTDOM\Domain Users 2

[root@rhel6-1 log]# wbinfo -s S-1-5-21-1246088475-3077293710-2580964704-1135
ADTESTDOM\adtestgroup1 2

[root@rhel6-1 log]# ipa hbacrule-add --desc=test test
----------------------
Added HBAC rule "test"
----------------------
  Rule name: test
  Description: test
  Enabled: TRUE

[root@rhel6-1 log]# ipa hbacrule-add-service --hbacsvcs=sshd  test
  Rule name: test
  Description: test
  Enabled: TRUE
  Services: sshd
-------------------------
Number of members added 1
-------------------------

[root@rhel6-1 log]# ipa hbacrule-add-user test --groups=adtestdom_testgroup
  Rule name: test
  Description: test
  Enabled: TRUE
  User Groups: adtestdom_testgroup
  Services: sshd
-------------------------
Number of members added 1
-------------------------

[root@rhel6-1 log]# ipa hbacrule-add-host --hosts=rhel6-1.testrelm.com test
  Rule name: test
  Description: test
  Enabled: TRUE
  User Groups: adtestdom_testgroup
  Hosts: rhel6-1.testrelm.com
  Services: sshd
-------------------------
Number of members added 1
-------------------------

[root@rhel6-1 log]# ipa hbacrule-disable allow_all
------------------------------
Disabled HBAC rule "allow_all"
------------------------------

[root@rhel6-1 log]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM.COM

Valid starting     Expires            Service principal
11/12/12 16:55:03  11/13/12 16:55:01  krbtgt/TESTRELM.COM@TESTRELM.COM
11/12/12 16:55:04  11/13/12 16:55:01  HTTP/rhel6-1.testrelm.com@TESTRELM.COM

[root@rhel6-1 log]# kinit adtestuser1@ADTESTDOM.COM
Password for adtestuser1@ADTESTDOM.COM: 

[root@rhel6-1 log]# ssh -K -l adtestuser1@adtestdom.com rhel6-1.testrelm.com
Last login: Mon Nov 12 16:07:22 2012 from rhel6-1.testrelm.com

-sh-4.1$ exit
logout
Connection to rhel6-1.testrelm.com closed.

[root@rhel6-1 log]# ssh -K -l adtestuser1@adtestdom.com rhel6-2.testrelm.com
Connection closed by UNKNOWN

So, looks like it allows me to login where expected and denies where expected.
Comment 11 errata-xmlrpc 2013-02-21 04:38:24 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html

Note You need to log in before you can comment on or make changes to this bug.