[Freeipa-users] HBAC trust groups inconsistent

Mike Berkelaar MBerkelaar at binck.nl
Tue Jan 24 18:43:59 UTC 2017 

Hello,

I have been testing Freeipa since 4.2 and am very impressed overall. A pending issue I have not been able to resolve is getting HBAC to work consistently. I’m limited to an AD-trust scenario where AD groups are mapped to Posix groups. While ‘id user at domain’ will return all groups for new queries, or after a reset of the cache and a restart of SSSD, this does not *always* seem to be the case with kerberized HTTP. (http://www.freeipa.org/page/Web_App_Authentication)

With the HBAC rule allowing access from a particular Posix mapped group to a custom service (‘HTTP’) I typically see it sometimes working, and then randomly failing after some delay ( minutes – hours), hinting at a cache miss of some sort.

Performing an HTTP GET to the kerberized webserver may at first fail. After a short delay it may sometimes start working out of the blue. In some cases disabling and enabling HBAC rules or performing ‘id user at domain’ helps with sorting the issue. As you can see from the logging the first time SSSD gathers 38 groups, failing to get the Posix mapped group, but a few minutes later getting 39 groups, including the ‘sambatesters’ mapped group that the HBAC rule applies to.

Failing:
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [hbac_eval_user_element] (0x1000): [38] groups for [user at domain.local]
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=SG_ROLE_PROXY_PROD_Change,OU=Roles,OU=Groups,DC=domain,DC=local]
... * Skipping all underscore_seperated_group CNs *
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=* ICT Infrastructure Unix,OU=Distribution,OU=Groups,DC=domain,DC=local]

(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x21a9f4
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x21e99e0
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Running timer event 0x21a9f40 "ltdb_callback"
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Destroying timer event 0x21e99e0 "ltdb_timeout"
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Ending timer event 0x21a9f40 "ltdb_callback"
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x21c90c0
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x21b6e00
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Running timer event 0x21c90c0 "ltdb_callback"
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Destroying timer event 0x21b6e00 "ltdb_timeout"
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Ending timer event 0x21c90c0 "ltdb_callback"
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x21eb880
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x21b6e00
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Running timer event 0x21eb880 "ltdb_callback"
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Destroying timer event 0x21b6e00 "ltdb_timeout"
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Ending timer event 0x21eb880 "ltdb_callback"
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success]
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [be_pam_handler_callback] (0x0100): Sending result [6][domain.local]
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [be_pam_handler_callback] (0x0100): Sent result [6][domain.local]
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [sdap_process_result] (0x2000): Trace: sh[0x21a6b10], connected[1], ops[(nil)], ldap[0x21ab2b0]
(Tue Jan 24 19:05:42 2017) [sssd[be[unix.domain.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!


Succeeding:
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [hbac_eval_user_element] (0x1000): [39] groups for [user at domain.local]
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=SG_ROLE_PROXY_PROD_Change,OU=Roles,OU=Groups,DC=domain,DC=local]
...
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [CN=AFD-ICT-DM Change,OU=_SOMEOU,OU=Groups,DC=domain,DC=local]
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [hbac_eval_user_element] (0x1000): Added group [sambatesters] for user [user at domain.local]

(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x21c8990
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x21b6e00
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Running timer event 0x21c8990 "ltdb_callback"
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Destroying timer event 0x21b6e00 "ltdb_timeout"
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Ending timer event 0x21c8990 "ltdb_callback"
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x21baab0
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x21b62d0
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Running timer event 0x21baab0 "ltdb_callback"
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Destroying timer event 0x21b62d0 "ltdb_timeout"
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Ending timer event 0x21baab0 "ltdb_callback"
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x21baab0
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x21c8990
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Running timer event 0x21baab0 "ltdb_callback"
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Destroying timer event 0x21c8990 "ltdb_timeout"
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [ldb] (0x4000): Ending timer event 0x21baab0 "ltdb_callback"
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [http_filter]
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success]
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success]
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [be_pam_handler_callback] (0x0100): Sending result [0][domain.local]
(Tue Jan 24 19:06:58 2017) [sssd[be[unix.domain.local]]] [be_pam_handler_callback] (0x0100): Sent result [0][domain.local]


Current setup is IPA 4.4, Sssd mix of 1.13 (Ubuntu) and 1.14 (Centos 7.3)
IPA SSSD cache mounted on tmpfs
Ignore_group_members = True
Subdomain_inherit = ignore_group_members

The sambatesters Posix group is, as far as I can tell, consistently mapped to the user with SSH logins and by ‘id’. Some AD groups do contain spaces and funny characters (*). I am at a loss with debugging this issue, mainly because groups seem to appear and disappear with GSSAPI sessions at random moments in time.
Does anybody have any idea how to troubleshoot this any further?


Other threads I though were hinting at a similar issue:
https://www.redhat.com/archives/freeipa-users/2016-July/msg00163.html


Disclaimer
________________________________
Deze e-mail en zijn bijlagen zijn uitsluitend bestemd voor de geadresseerde(n) als op dit e-mailblad vermeld. Het is mogelijk dat deze e-mail persoonlijke en/of vertrouwelijke informatie bevat. Wanneer u niet de geadresseerde bent, verzoeken wij u dringend ons daarvan te berichten. Elke verspreiding, vermenigvuldiging, gebruik of openbaarmaking aan derden van de inhoud van deze e-mail en zijn bijlagen, is verboden. Hoewel deze informatie met de meeste zorg is samengesteld is BinckBank N.V. op geen enkele wijze aansprakelijk voor eventuele fouten, omissies of andere onjuistheden in deze informatie of de gevolgen daarvan noch op enigerlei wijze gebonden aan de inhoud van de e-mail of zijn bijlagen. Gelieve, in geval van onjuiste of onvolledige ontvangst, deze e-mail terug te sturen naar de afzender.
BinckBank N.V. is gevestigd aan de Barbara Strozzilaan 310, Amsterdam (1083 HN), Nederland en is ingeschreven bij de Kamer van Koophandel in Amsterdam onder nummer 33162223. BinckBank N.V. heeft een vergunning van De Nederlandsche Bank, Postbus 98, 1000 AB Amsterdam en staat geregistreerd bij de Autoriteit Financiële Markten, Postbus 11723, 1001 GS Amsterdam. Het BTW-nummer van BinckBank N.V. is NL007606552B01.
________________________________
This e-mail and its attachments are only intended for the individual(s) or entity(entities) named above to whom they are addressed and may contain personal and/or confidential information. Please notify us immediately if you are not the intended recipient. Any dissemination, duplication, publication to third parties or other use of the contents of this e-mail or its attachments is forbidden. BinckBank N.V. shall not accept any responsibility for any errors, omissions or other inaccuracies in this information or for the consequences thereof, nor shall it be bound in any way by the contents of this e-mail or its attachments. In the event of incomplete or incorrect transmission please return the e-mail to the sender.
BinckBank N.V. is established on the Barbara Strozzilaan 310, Amsterdam (1083 HN), Netherlands and is registered with the Chamber of Commerce in Amsterdam under number 33162223. BinckBank N.V. is authorized by De Nederlandsche Bank, PO Box 98, 1000 AB Amsterdam and is registered with the Authority for the Financial Markets, PO Box 11723, 1001 GS Amsterdam. BinckBank N.V’s VAT number is NL007606552B01.
________________________________
Ce message, ainsi que toutes ses pièces jointes, est exclusivement destiné aux personnes indiquées ci-dessus, à qui il a été adressé, et peut contenir des informations personnelles ou confidentielles. Si vous recevez ce message et que vous n'en êtes pas le destinataire, veuillez nous en avertir immédiatement, et le détruire. Toute dissémination, copie, transmission à des tiers, ou autre usage de ce message, de son contenu et de ses pièces jointes, est interdit. BinckBank N.V. n'accepte aucune responsabilité pour d'éventuelles erreurs ou omissions ou leur conséquences. Ce message, son contenu et ses pièces jointes ne constituent en aucune façon un engagement de BinckBank N.V.. En cas de transmission incomplète ou erronée, merci de renvoyer ce message à son expéditeur.
BinckBank N.V. a son siège au Barbara Strozzilaan 310, Amsterdam (1083 HN), Pays-Bas et est inscrite auprès de la Chambre de Commerce d'Amsterdam sous le numéro 33162223. BinckBank N.V. est agréée par De Nederlandsche Bank, PO Box 98, 1000 AB Amsterdam et est inscrite auprès de Autoriteit Financiële Markten, PO Box 11723, 1001 GS Amsterdam. Le numéro de TVA de BinckBank N.V. est NL007606552B01.
________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170124/28365c15/attachment.htm>

More information about the Freeipa-users mailing list