Bug 878480 – Lookup user SIDs in external groups

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 878480 - Lookup user SIDs in external groups

Summary:	Lookup user SIDs in external groups

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	6.4
Hardware:	Unspecified Unspecified

Priority	medium Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Rob Crittenden
QA Contact:	Namita Soman
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	886216
	Show dependency tree / graph

Reported:	2012-11-20 09:21 EST by Dmitri Pal
Modified:	2013-02-21 04:30 EST (History)
CC List:	4 users (show)

See Also:
Fixed In Version:	ipa-3.0.0-10.el6
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-02-21 04:30:26 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0528	normal	SHIPPED_LIVE	Low: ipa security, bug fix and enhancement update	2013-02-21 03:22:21 EST

Groups: None (edit)

Description Dmitri Pal 2012-11-20 09:21:41 EST

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3257

Currently only the group SIDs from a PAC are used to find out about the
membership in local groups. The user SID should be used as well.

Comment 1 Namita Soman 2012-11-20 14:29:23 EST

Please provide steps to reproduce and verify this bug

Comment 2 Sumit Bose 2012-11-20 15:00:15 EST

- Create an external group 'ipa group-add --external ext_user_test'
- Add user or user SID to the external group 'ipa group-add-member ext_user_test --external S-1-5-21-.....'
- Create local group 'ipa group-add loc_user_test'
- Add external group to local group 'ipa group-add-member loc_user_test --groups=ext_user_test'
- create HBAC rule 'ipa hbacrule-add user_test'
- set some defaults e.g. 'ipa hbacrule-mod --hostcat=all --servicecat=all user_test'
- add local group 'ipa hbacrule-add-user --groups=loc_user_test'
- make sure allow_all is disabled 'ipa hbacrule-disable allow_all'
- try to log in e.g. with ssh as the AD user

Comment 3 Rob Crittenden 2012-11-30 16:40:56 EST

Fixed upstream.

master: c5e055ae00a2f4a41df4bdcbc95e81d771a4f8cf

ipa-3-0: 22c752c230049985cdf9490a96c901d80c3d41c0

Comment 6 Steeve Goveas 2013-01-31 04:17:57 EST

[root@ibm-x3500m4-01 ~]# ipa group-add --desc='test group for bug 878480' --external ext_user_test
---------------------------
Added group "ext_user_test"
---------------------------
  Group name: ext_user_test
  Description: test group for bug 878480

[root@ibm-x3500m4-01 ~]# ipa group-add-member ext_user_test --external "ADLAB\adtestuser1"
[member user]: 
[member group]: 
  Group name: ext_user_test
  Description: test group for bug 878480
  External member: S-1-5-21-3655990580-1375374850-1633065477-1178
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3500m4-01 ~]# ipa group-add loc_user_test
Description: local test group for bug 878480
---------------------------
Added group "loc_user_test"
---------------------------
  Group name: loc_user_test
  Description: local test group for bug 878480
  GID: 520800006

[root@ibm-x3500m4-01 ~]# ipa group-add-member loc_user_test --groups=ext_user_test
  Group name: loc_user_test
  Description: local test group for bug 878480
  GID: 520800006
  Member groups: ext_user_test
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3500m4-01 ~]# ipa hbacrule-add user_test
---------------------------
Added HBAC rule "user_test"
---------------------------
  Rule name: user_test
  Enabled: TRUE

[root@ibm-x3500m4-01 ~]# ipa hbacrule-mod --hostcat=all --servicecat=all user_test
------------------------------
Modified HBAC rule "user_test"
------------------------------
  Rule name: user_test
  Host category: all
  Service category: all
  Enabled: TRUE

[root@ibm-x3500m4-01 ~]# ipa hbacrule-add-user --groups=loc_user_test user_test
  Rule name: user_test
  Host category: all
  Service category: all
  Enabled: TRUE
  User Groups: loc_user_test
-------------------------
Number of members added 1
-------------------------

[root@ibm-x3500m4-01 ~]# ipa hbacrule-disable allow_all
------------------------------
Disabled HBAC rule "allow_all"
------------------------------

[root@ibm-x3500m4-01 ~]# ipa hbacrule-find
--------------------
2 HBAC rules matched
--------------------
  Rule name: allow_all
  User category: all
  Host category: all
  Source host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: FALSE

  Rule name: user_test
  Host category: all
  Service category: all
  Enabled: TRUE
  User Groups: loc_user_test
----------------------------
Number of entries returned 2
----------------------------

* Aduser login to server works

[root@dell-pe1950-03 ~]# ssh -l adtestuser1@adlab.qe ibm-x3500m4-01.testrelm.com
adtestuser1@adlab.qe@ibm-x3500m4-01.testrelm.com's password: 
Your password will expire in 8991 day(s).
Last login: Wed Jan 30 18:41:25 2013 from ibm-x3500m4-01.testrelm.com
Could not chdir to home directory /home/adlab.qe/adtestuser1: No such file or directory
-sh-4.1$ id
uid=1979001178(adtestuser1@adlab.qe) gid=1979001178(adtestuser1@adlab.qe) groups=1979001178(adtestuser1@adlab.qe),520800004(ad_users),520800006(loc_user_test),1979000513(domain users@adlab.qe),1979001150(adgroup1@adlab.qe),1979001151(adgroup2@adlab.qe) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ logout
Connection to ibm-x3500m4-01.testrelm.com closed.

* Other users were not able to login

[root@dell-pe1950-03 ~]# ssh -l adtestuser2@adlab.qe ibm-x3500m4-01.testrelm.com
adtestuser2@adlab.qe@ibm-x3500m4-01.testrelm.com's password: 
Your password will expire in 8991 day(s).
Connection closed by UNKNOWN

[root@dell-pe1950-03 ~]# ssh -l fuser@adlab.qe ibm-x3500m4-01.testrelm.com
fuser@adlab.qe@ibm-x3500m4-01.testrelm.com's password: 
Your password will expire in 41 day(s).
Connection closed by UNKNOWN


* Logs for failed logins
==> /var/log/secure <==
Jan 31 03:45:45 ibm-x3500m4-01 sshd[16215]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=dell-pe1950-03.testrelm.com  user=adtestuser2@adlab.qe
Jan 31 03:45:48 ibm-x3500m4-01 sshd[16215]: pam_sss(sshd:auth): User info message: Your password will expire in 8991 day(s).
Jan 31 03:45:48 ibm-x3500m4-01 sshd[16215]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=dell-pe1950-03.testrelm.com user=adtestuser2@adlab.qe
Jan 31 03:45:48 ibm-x3500m4-01 sshd[16215]: pam_sss(sshd:account): Access denied for user adtestuser2@adlab.qe: 6 (Permission denied)
Jan 31 03:45:48 ibm-x3500m4-01 sshd[16215]: Failed password for adtestuser2@adlab.qe from 10.34.35.54 port 49994 ssh2
Jan 31 03:45:48 ibm-x3500m4-01 sshd[16216]: fatal: Access denied for user adtestuser2@adlab.qe by PAM account configuration

==> /var/log/secure <==
Jan 31 03:46:51 ibm-x3500m4-01 sshd[16221]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=dell-pe1950-03.testrelm.com  user=fuser@adlab.qe
Jan 31 03:46:53 ibm-x3500m4-01 sshd[16221]: pam_sss(sshd:auth): User info message: Your password will expire in 41 day(s).
Jan 31 03:46:53 ibm-x3500m4-01 sshd[16221]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=dell-pe1950-03.testrelm.com user=fuser@adlab.qe
Jan 31 03:46:53 ibm-x3500m4-01 sshd[16221]: pam_sss(sshd:account): Access denied for user fuser@adlab.qe: 6 (Permission denied)
Jan 31 03:46:53 ibm-x3500m4-01 sshd[16221]: Failed password for fuser@adlab.qe from 10.34.35.54 port 49995 ssh2
Jan 31 03:46:53 ibm-x3500m4-01 sshd[16222]: fatal: Access denied for user fuser@adlab.qe by PAM account configuration

Comment 8 errata-xmlrpc 2013-02-21 04:30:26 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html

Note You need to log in before you can comment on or make changes to this bug.