sssd hbac rule applicaton for AD users is inconsistent
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sssd (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Xenial |
Fix Released
|
Low
|
Unassigned |
Bug Description
[Impact]
From the upstream bug at https:/
"""
In IPA-AD trust environment, sssd is intermittently failing to map AD user
group with IPA POSIX group hence getting access denied due to HBAC rules. The issue gets resolved automatically after certain time, without restarting the sssd service. i.e:
The IPA HBAC code used to read the group members from the the
originalMemberOf attribute value for performance reasons. However,
especially on IPA clients trusting an AD domain, the originalMemberOf
attribute value is often not synchronized correctly.
"""
[Test Case]
Coming up with a simple test case is not feasable. Even upstream wasn't able to reliably reproduce the issue in a controlled manner. My best suggestion is for affected users to try the updated package and observe if the incorrect access denied error stops happening.
This involves setting up an AD server, a FreeIPA one, creating trust between them, and nested groups and HBAC rules. Upstream's description of such a scenario is at https:/
[Regression Potential]
The patch changes how group membership in this scenario is computed. It's a complex setup, and we are relying on a) patch has been applied upstream and backported to 1.13; b) user who reported this bug confirmed it fixed the issue with a custom build he did; c) upstream test suite passed; d) dep8 tests (new with this SRU) also pass.
[Other Info]
The scenario where the bug happens is too complex to reproduce in a test case, but does happen out in the wild according to this report and also in upstream's bug tracker. I decided to add the DEP8 tests to this update as well to give extra confidence in this and future updates, even though it doesn't exercise this bug in particular.
[Original Description]
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
sssd Version: 1.13.4-1ubuntu1.8
I'm sometimes seeing AD users denied access to a machine due to HBAC access rules:
(Tue Oct 3 04:11:09 2017) [sssd[be[
Upstream suggest applying this commit:
https:/
That was made on the 1.13 branch but not yet released. More here:
https://<email address hidden>
I'm currently testing out a local package with this patch.
Related branches
- Andreas Hasenack (community): Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 199 lines (+177/-0)3 files modifieddebian/changelog (+6/-0)
debian/patches/hbac.patch (+170/-0)
debian/patches/series (+1/-0)
tags: | added: server-next |
description: | updated |
description: | updated |
Changed in sssd (Ubuntu Xenial): | |
importance: | Undecided → Low |
tags: |
added: verification-done-xenial removed: verification-needed-xenial |
Thanks for filing this bug in Ubuntu.
It looks like you are familiar with Ubuntu/Debian development. Do you think you would be able to make a merge proposal against this git branch for xenial?
https:/ /code.launchpad .net/~usd- import- team/ubuntu/ +source/ sssd/+git/ sssd/+ref/ ubuntu/ xenial- devel
If you are familiar with git and Ubuntu development, you can use our git workflow and the git-ubuntu helper tool.
Something like this, on a fresh xenial VM to show the setup steps:
$ sudo snap install git-ubuntu --classic sssd-hbac- rule-1722936 pkg/ubuntu/ xenial- devel
$ mkdir -p git/packages
$ cd git/packages
$ git ubuntu clone sssd
$ cd sssd
$ git checkout -b xenial-
code away
$ git ubuntu submit
More information about this tool can be found in this blog post: /naccblog. wordpress. com/2017/ 08/01/git- ubuntu- clone/
https:/