[Freeipa-users] sssd receives another uid/gid after disabled HBAC rule
Sumit Bose
sbose at redhat.com
Thu Sep 11 10:58:43 UTC 2014
On Wed, Sep 10, 2014 at 08:19:15AM +0200, Gregor Bregenzer wrote:
> Hello Sumit,
> i think maybe there is a different problem i just discovered by
> accident. As stated in the first email, i have an AD trust with
> FreeIPA that receives all POSIX attributes from AD, but i get
> different values:
> On the FreeIPA server that has the AD trust (ipa1.linux.intern) i get
> the correct GID (=10000, this is the AD group linuxusers) that is set
> in AD, but on the client (linux1.linux.intern) i get another one ( =
> 10005):
>
> ipa1.linux.intern
> ~~~~
> [root at ipa1 httpd]# getent passwd user1 at aaa
> user1 at aaa.intern:*:10005:
> 10000:user1:/home/aaa.intern/user1:/bin/bash
>
> -bash-4.2$ id
> uid=10005(user1 at aaa.intern) gid=10000(linuxusers at aaa.intern)
> groups=10000(linuxusers at aaa.intern),1933000004(ad_users)
> ~~~~
>
> linux1.linux.intern
> ~~~~~~~~
> [root at linux1 sssd]# getent passwd user1 at aaa
> user1 at aaa.intern:*:10005:10005::/home/user1 at aaa.intern:/bin/bash
>
> [user1 at aaa.intern@linux1 ~]$ id
> uid=10005(user1 at aaa.intern) gid=10005(user1 at aaa.intern)
> Gruppen=10005(user1 at aaa.intern),1933000004(ad_users)
Since you are using SSSD-1.9.x on the client this behaviour is expected.
In this version SSSD could only handle users from a trusted AD domain as
users with User Private Groups (UPG), hence POSIX UID and GID are the
same. The additional group memberships are only available after the user
logged in. For this the PAC from the Kerberos ticket is evaluated. But
the PAC does not contain any information about POSIX attributes and only
contains groups the user is member of from the AD point of view. If
user1 is not a member of the linuxuser AD group SSSD cannot resolve this
membership.
Nevertheless I think this is not related to the UID change you reported
earlier.
bye,
Sumit
>
> Logfile on ipa1.linux.intern sssd_nss.log
> (Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0400):
> Running command [17] with input [user1 at aaa.intern].
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'user1 at aaa.intern' matched expression for domain
> 'aaa.intern', user is user1 │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
> Requesting info for [user1] from [aaa.intern]
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_ncache_check_str]
> (0x2000): Checking negative cache for [NCE/USER/aaa.intern/user1]
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search]
> (0x0100): Requesting info for [user1 at aaa.intern]
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed
> event "ltdb_callback": 0x7fe19e562700
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed
> event "ltdb_timeout": 0x7fe19e562830
> │
> 03│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Running
> timer event 0x7fe19e562700 "ltdb_callback"
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Destroying
> timer event 0x7fe19e562830 "ltdb_timeout"
> │va
> r/│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Ending timer
> event 0x7fe19e562700 "ltdb_callback"
> │
> │(Wed Sep 10 08:14:42 2014) [sssd[nss]] [check_cache] (0x0400):
> Cached entry is valid, returning..
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search]
> (0x0400): Returning info for user [user1 at aaa.intern]
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [reset_idle_timer] (0x4000):
> Idle timer re-set for client [0x7fe19e563d40][21]
> │
>
> ----------
> Logfile on linux1.linux.intern sssd_nss.log
>
> (Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'user1 at aaa' matched expression for domain 'aaa.intern',
> user is user1 │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam] (0x0100):
> Requesting info for [user1] from [aaa.intern]
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_ncache_check_str]
> (0x2000): Checking negative cache for [NCE/USER/aaa.intern/user1]
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search]
> (0x0100): Requesting info for [user1 at aaa.intern]
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed
> event "ltdb_callback": 0x20e2c20
> │
> (W│
>
> │
> 00│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed
> event "ltdb_timeout": 0x20e2590
> │
> (W│
>
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Running
> timer event 0x20e2c20 "ltdb_callback"
> │
> (W│
>
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Destroying
> timer event 0x20e2590 "ltdb_timeout"
> │
> (W│
>
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Ending timer
> event 0x20e2c20 "ltdb_callback"
> │
> (W│
>
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_dp_issue_request]
> (0x0400): Issuing request for [0x432730:1:user1 at aaa.intern]
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_dp_get_account_msg]
> (0x0400): Creating request for [aaa.intern][4097][1][name=user1]
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sbus_add_timeout] (0x2000):
> 0x20d72e0
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_dp_internal_get_send]
> (0x0400): Entering request [0x432730:1:user1 at aaa.intern]
> │
> 01│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sbus_remove_timeout]
> (0x2000): 0x20d72e0
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sbus_dispatch] (0x4000):
> dbus conn: 20DB0F0
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sbus_dispatch] (0x4000):
> Dispatching.
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_dp_get_reply] (0x1000):
> Got reply from Data Provider - DP error code: 0 errno: 0 error
> message: Success
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_ncache_check_str]
> (0x2000): Checking negative cache for [NCE/USER/aaa.intern/user1]
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search]
> (0x0100): Requesting info for [user1 at aaa.intern]
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed
> event "ltdb_callback": 0x20e8530
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed
> event "ltdb_timeout": 0x20e85e0
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Running
> timer event 0x20e8530 "ltdb_callback"
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Destroying
> timer event 0x20e85e0 "ltdb_timeout"
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Ending timer
> event 0x20e8530 "ltdb_callback"
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search]
> (0x0400): Returning info for user [user1 at aaa.intern]
> │
> 02│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_dp_req_destructor]
> (0x0400): Deleting request: [0x432730:1:user1 at aaa.intern]
> │
> :/│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [reset_idle_timer] (0x4000):
> Idle timer re-set for client [0x20e44a0][20]
> │
> │(Wed Sep 10 08:14:42 2014) [sssd[nss]] [reset_idle_timer] (0x4000):
> Idle timer re-set for client [0x20e44a0][20]
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [client_recv] (0x0200):
> Client disconnected!
> │/v
> ar│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [client_destructor]
> (0x2000): Terminated client [0x20e44a0][20]
>
> ~~~~
>
>
> I think i need to get this one right before the HBAC rule - right?
>
>
> Here is my ipa1.linux.intern sssd.conf:
> ~~~~~~~~~
> [domain/linux.intern]
> debug_level=9
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = linux.intern
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ipa1.linux.intern
> chpass_provider = ipa
> ipa_server = ipa1.linux.intern
> ipa_server_mode = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> debug_level=9
> services = nss, sudo, pam, ssh, pac
> config_file_version = 2
> subdomains_provider = ipa
> domains = linux.intern
> [nss]
> debug_level=9
> homedir_substring = /home
>
> [pam]
> debug_level=9
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
> debug_level=9
> [ifp]
>
> ~~~~~~~~~~~~~~
>
> Here's my linux1.linux.intern sssd.conf
> ~~~~~
> [domain/linux.intern]
> debug_level=9
> cache_credentials = False
> krb5_store_password_if_offline = False
> ipa_domain = linux.intern
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = linux1.linux.intern
> chpass_provider = ipa
> ipa_dyndns_update = True
> ipa_server = _srv_, ipa1.linux.intern
> ldap_tls_cacert = /etc/ipa/ca.crt
> use_fully_qualified_domains = True
> # For the SUDO integration
> sudo_provider = ldap
> ldap_uri = ldap://ipa1.linux.intern
> ldap_sudo_search_base = ou=sudoers,dc=linux,dc=intern
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/linux1.linux.intern
> ldap_sasl_realm = LINUX.INTERN
> krb5_server = ipa1.linux.intern
>
> [sssd]
> debug_level=9
> services = nss, pam, ssh, sudo
> config_file_version = 2
> #default_domain_suffix=aaa.intern
> domains = linux.intern
> [nss]
> debug_level=9
> override_homedir = /home/%u
> override_shell = /bin/bash
> [pam]
> debug_level=9
> [sudo]
>
> [autofs]
>
> [ssh]
> debug_level=9
> [pac]
> debug_level=9
>
> ~~~~
>
>
> I used the following command to create the AD trust:
>
> ipa trust-add --type=ad aaa.intern --admin Administrator
> --password --range-type ipa-ad-trust-posix
>
> Do you need any other debug information?
>
>
> Thanks!
> Gregor
>
> 2014-09-08 9:17 GMT+02:00 Sumit Bose <sbose at redhat.com>:
> > On Sun, Sep 07, 2014 at 11:41:16PM +0200, Gregor Bregenzer wrote:
> >> Hi!
> >>
> >> I have an AD trust with FreeIPA 4.0.1 and defined a HBAC rule for a
> >> specific user group (=ad_users which is an posix group that has an
> >> external group as member) to login on a specific client
> >> (=linux1.linux.intern).
> >>
> >> The problem is: once i disable the rule and the AD user is not allowed
> >> to login anymore, the user on the client gets another uid and gid via
> >> sssd.
> >>
> >> I use the posix attributes from AD, which will get received by sssd perfectly.
> >> The client is running on CentOS 6.5 and uses sssd 1.9.2.129.el6_5.4
> >> AD domain = aaa.intern
> >> IPA domain = linux.intern
> >> AD-User: user1 (uid=1005,gid=10005)
> >>
> >> Here an example:
> >> ----------------------------
> >> 1.) disable the hbac rule and the default allow_all rule:
> >> 2.) check the uid/gid on the client (=linux1.linux.intern) and it looks fine:
> >>
> >> [root at linux1 sssd]# getent passwd user1 at aaa
> >> user1 at aaa.intern:*:10005:10005::/home/user1 at aaa.intern:/bin/bash
> >>
> >> 3.) Login with ssh to client as user1. It will be denied upon correct
> >> password input and ssh sessions closes. Up until now everything as
> >> expected. But now:
> >>
> >> 4.) check for the uid/gid on the client - something totally different.
> >> It now also receives the Firstname and Lastname from AD, latter is
> >> empty:
> >>
> >> [root at linux1 sssd]# getent passwd user1 at aaa
> >> user1 at aaa.intern:*:11601:11601:user1:/home/user1 at aaa.intern:/bin/bash
> >>
> >> 5.) Enable the hbac rule and login works, but the unexpected uid/gid
> >> stays the same:
> >>
> >> login as: user1 at aaa
> >> user1 at aaa@192.168.0.100's password:
> >> login as: user1 at aaa
> >> user1 at aaa@192.168.0.100's password:
> >> Last failed login: Sun Sep 7 23:19:49 CEST 2014 from 192.168.0.26 on ssh:notty
> >> There were 2 failed login attempts since the last successful login.
> >> Creating home directory for user1 at aaa.
> >> Last login: Sun Sep 7 23:21:02 2014 from 192.168.0.26
> >> [user1 at aaa.intern@linux1 ~]$ id
> >> uid=11601(user1 at aaa.intern) gid=11601(user1 at aaa.intern)
> >> Gruppen=11601(user1 at aaa.intern),1933000004(ad_users)
> >> [user1 at aaa.intern@linux1 ~]$
> >> ---------------------------------
> >>
> >> Anyone have a clue what might be the problem?
> >
> > I would expect some kind of collision, but to be sure I need the SSSD
> > log files. Please try to reproduce the switch and send me the log file,
> > if possilbe with debug_level=9.
> >
> > bye,
> > Sumit
> >
> >>
> >> Here's the sssd.conf:
> >> [root at linux1 sssd]# cat /etc/sssd/sssd.conf
> >> [domain/linux.intern]
> >> debug_level=6
> >> cache_credentials = False
> >> krb5_store_password_if_offline = False
> >> ipa_domain = linux.intern
> >> id_provider = ipa
> >> auth_provider = ipa
> >> access_provider = ipa
> >> ipa_hostname = linux1.linux.intern
> >> chpass_provider = ipa
> >> ipa_dyndns_update = True
> >> ipa_server = _srv_, ipa1.linux.intern
> >> ldap_tls_cacert = /etc/ipa/ca.crt
> >> use_fully_qualified_domains = True
> >> # For the SUDO integration
> >> sudo_provider = ldap
> >> ldap_uri = ldap://ipa1.linux.intern
> >> ldap_sudo_search_base = ou=sudoers,dc=linux,dc=intern
> >> ldap_sasl_mech = GSSAPI
> >> ldap_sasl_authid = host/linux1.linux.intern
> >> ldap_sasl_realm = LINUX.INTERN
> >> krb5_server = ipa1.linux.intern
> >> entry_cache_sudo_timeout = 30
> >> [sssd]
> >> debug_level=6
> >> services = nss, pam, ssh, sudo
> >> config_file_version = 2
> >> default_domain_suffix=aaa.intern
> >> domains = linux.intern
> >> [nss]
> >> debug_level=9
> >> override_homedir = /home/%u
> >> override_shell = /bin/bash
> >> [pam]
> >> debug_level=6
> >> [sudo]
> >> debug_level=6
> >> [autofs]
> >>
> >> [ssh]
> >> debug_level=6
> >> [pac]
> >>
> >>
> >>
> >> Thanks!
> >> Gregor
> >>
> >> --
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go To http://freeipa.org for more info on the project
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go To http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list