878480 – Lookup user SIDs in external groups

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 878480 - Lookup user SIDs in external groups

Summary: Lookup user SIDs in external groups

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	886216
TreeView+	depends on / blocked

Reported:	2012-11-20 14:21 UTC by Dmitri Pal
Modified:	2013-02-21 09:30 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipa-3.0.0-10.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-02-21 09:30:26 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0528	0	normal	SHIPPED_LIVE	Low: ipa security, bug fix and enhancement update	2013-02-21 08:22:21 UTC

Description Dmitri Pal 2012-11-20 14:21:41 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3257

Currently only the group SIDs from a PAC are used to find out about the
membership in local groups. The user SID should be used as well.

Comment 1 Namita Soman 2012-11-20 19:29:23 UTC

Please provide steps to reproduce and verify this bug

Comment 2 Sumit Bose 2012-11-20 20:00:15 UTC

- Create an external group 'ipa group-add --external ext_user_test'
- Add user or user SID to the external group 'ipa group-add-member ext_user_test --external S-1-5-21-.....'
- Create local group 'ipa group-add loc_user_test'
- Add external group to local group 'ipa group-add-member loc_user_test --groups=ext_user_test'
- create HBAC rule 'ipa hbacrule-add user_test'
- set some defaults e.g. 'ipa hbacrule-mod --hostcat=all --servicecat=all user_test'
- add local group 'ipa hbacrule-add-user --groups=loc_user_test'
- make sure allow_all is disabled 'ipa hbacrule-disable allow_all'
- try to log in e.g. with ssh as the AD user

Comment 3 Rob Crittenden 2012-11-30 21:40:56 UTC

Fixed upstream.

master: c5e055ae00a2f4a41df4bdcbc95e81d771a4f8cf

ipa-3-0: 22c752c230049985cdf9490a96c901d80c3d41c0

Comment 6 Steeve Goveas 2013-01-31 09:17:57 UTC

[root@ibm-x3500m4-01 ~]# ipa group-add --desc='test group for bug 878480' --external ext_user_test
---------------------------
Added group "ext_user_test"
---------------------------
  Group name: ext_user_test
  Description: test group for bug 878480

[root@ibm-x3500m4-01 ~]# ipa group-add-member ext_user_test --external "ADLAB\adtestuser1"
[member user]: 
[member group]: 
  Group name: ext_user_test
  Description: test group for bug 878480
  External member: S-1-5-21-3655990580-1375374850-1633065477-1178
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3500m4-01 ~]# ipa group-add loc_user_test
Description: local test group for bug 878480
---------------------------
Added group "loc_user_test"
---------------------------
  Group name: loc_user_test
  Description: local test group for bug 878480
  GID: 520800006

[root@ibm-x3500m4-01 ~]# ipa group-add-member loc_user_test --groups=ext_user_test
  Group name: loc_user_test
  Description: local test group for bug 878480
  GID: 520800006
  Member groups: ext_user_test
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3500m4-01 ~]# ipa hbacrule-add user_test
---------------------------
Added HBAC rule "user_test"
---------------------------
  Rule name: user_test
  Enabled: TRUE

[root@ibm-x3500m4-01 ~]# ipa hbacrule-mod --hostcat=all --servicecat=all user_test
------------------------------
Modified HBAC rule "user_test"
------------------------------
  Rule name: user_test
  Host category: all
  Service category: all
  Enabled: TRUE

[root@ibm-x3500m4-01 ~]# ipa hbacrule-add-user --groups=loc_user_test user_test
  Rule name: user_test
  Host category: all
  Service category: all
  Enabled: TRUE
  User Groups: loc_user_test
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3500m4-01 ~]# ipa hbacrule-disable allow_all
------------------------------
Disabled HBAC rule "allow_all"
------------------------------

[root@ibm-x3500m4-01 ~]# ipa hbacrule-find
--------------------
2 HBAC rules matched
--------------------
  Rule name: allow_all
  User category: all
  Host category: all
  Source host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: FALSE

  Rule name: user_test
  Host category: all
  Service category: all
  Enabled: TRUE
  User Groups: loc_user_test
----------------------------
Number of entries returned 2
----------------------------

* Aduser login to server works

[root@dell-pe1950-03 ~]# ssh -l adtestuser1 ibm-x3500m4-01.testrelm.com
adtestuser1@ibm-x3500m4-01.testrelm.com's password: 
Your password will expire in 8991 day(s).
Last login: Wed Jan 30 18:41:25 2013 from ibm-x3500m4-01.testrelm.com
Could not chdir to home directory /home/adlab.qe/adtestuser1: No such file or directory
-sh-4.1$ id
uid=1979001178(adtestuser1) gid=1979001178(adtestuser1) groups=1979001178(adtestuser1),520800004(ad_users),520800006(loc_user_test),1979000513(domain users),1979001150(adgroup1),1979001151(adgroup2) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ logout
Connection to ibm-x3500m4-01.testrelm.com closed.

* Other users were not able to login

[root@dell-pe1950-03 ~]# ssh -l adtestuser2 ibm-x3500m4-01.testrelm.com
adtestuser2@ibm-x3500m4-01.testrelm.com's password: 
Your password will expire in 8991 day(s).
Connection closed by UNKNOWN

[root@dell-pe1950-03 ~]# ssh -l fuser ibm-x3500m4-01.testrelm.com
fuser@ibm-x3500m4-01.testrelm.com's password: 
Your password will expire in 41 day(s).
Connection closed by UNKNOWN


* Logs for failed logins
==> /var/log/secure <==
Jan 31 03:45:45 ibm-x3500m4-01 sshd[16215]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=dell-pe1950-03.testrelm.com  user=adtestuser2
Jan 31 03:45:48 ibm-x3500m4-01 sshd[16215]: pam_sss(sshd:auth): User info message: Your password will expire in 8991 day(s).
Jan 31 03:45:48 ibm-x3500m4-01 sshd[16215]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=dell-pe1950-03.testrelm.com user=adtestuser2
Jan 31 03:45:48 ibm-x3500m4-01 sshd[16215]: pam_sss(sshd:account): Access denied for user adtestuser2: 6 (Permission denied)
Jan 31 03:45:48 ibm-x3500m4-01 sshd[16215]: Failed password for adtestuser2 from 10.34.35.54 port 49994 ssh2
Jan 31 03:45:48 ibm-x3500m4-01 sshd[16216]: fatal: Access denied for user adtestuser2 by PAM account configuration

==> /var/log/secure <==
Jan 31 03:46:51 ibm-x3500m4-01 sshd[16221]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=dell-pe1950-03.testrelm.com  user=fuser
Jan 31 03:46:53 ibm-x3500m4-01 sshd[16221]: pam_sss(sshd:auth): User info message: Your password will expire in 41 day(s).
Jan 31 03:46:53 ibm-x3500m4-01 sshd[16221]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=dell-pe1950-03.testrelm.com user=fuser
Jan 31 03:46:53 ibm-x3500m4-01 sshd[16221]: pam_sss(sshd:account): Access denied for user fuser: 6 (Permission denied)
Jan 31 03:46:53 ibm-x3500m4-01 sshd[16221]: Failed password for fuser from 10.34.35.54 port 49995 ssh2
Jan 31 03:46:53 ibm-x3500m4-01 sshd[16222]: fatal: Access denied for user fuser by PAM account configuration

Comment 8 errata-xmlrpc 2013-02-21 09:30:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html

Note You need to log in before you can comment on or make changes to this bug.