[Bug 1722936] Re: sssd hbac rule applicaton for AD users is inconsistent

Andreas Hasenack andreas at canonical.com
Thu Feb 7 20:08:34 UTC 2019 

** Description changed:

  [Impact]
+ From the upstream bug at https://pagure.io/SSSD/sssd/issue/3382:
+ """
+ In IPA-AD trust environment, sssd is intermittently failing to map AD user
+ group with IPA POSIX group hence getting access denied due to HBAC rules. The issue gets resolved automatically after certain time, without restarting the sssd service. i.e:
  
-  * An explanation of the effects of the bug on users and
+ The IPA HBAC code used to read the group members from the the
+ originalMemberOf attribute value for performance reasons. However,
+ especially on IPA clients trusting an AD domain, the originalMemberOf
+ attribute value is often not synchronized correctly.
+ """
  
-  * justification for backporting the fix to the stable release.
- 
-  * In addition, it is helpful, but not required, to include an
-    explanation of how the upload fixes this bug.
  
  [Test Case]
+ Coming up with a simple test case is not feasable. Even upstream wasn't able to reliably reproduce the issue in a controlled manner. My best suggestion is for affected users to try the updated package and observe if the incorrect access denied error stops happening.
  
-  * detailed instructions how to reproduce the bug
- 
-  * these should allow someone who is not familiar with the affected
-    package to reproduce the bug and verify that the updated package fixes
-    the problem.
+ This involves setting up an AD server, a FreeIPA one, creating trust
+ between them, and nested groups and HBAC rules. Upstream's description
+ of such a scenario is at
+ https://github.com/SSSD/sssd/pull/309#issuecomment-318037063
  
  [Regression Potential]
- 
-  * discussion of how regressions are most likely to manifest as a result
- of this change.
- 
-  * It is assumed that any SRU candidate patch is well-tested before
-    upload and has a low overall risk of regression, but it's important
-    to make the effort to think about what ''could'' happen in the
-    event of a regression.
- 
-  * This both shows the SRU team that the risks have been considered,
-    and provides guidance to testers in regression-testing the SRU.
+ The patch changes how group membership in this scenario is computed. It's a complex setup, and we are relying on a) patch has been applied upstream and backported to 1.13; b) user who reported this bug confirmed it fixed the issue with a custom build he did; c) upstream test suite passed; d) dep8 tests (new with this SRU) also pass.
  
  [Other Info]
-  
-  * Anything else you think is useful to include
-  * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
-  * and address these questions in advance
- 
+ The scenario where the bug happens is too complex to reproduce in a test case, but does happen out in the wild according to this report and also in upstream's bug tracker. I decided to add the DEP8 tests to this update as well to give extra confidence in this and future updates, even though it doesn't exercise this bug in particular.
  
  [Original Description]
  NAME="Ubuntu"
  VERSION="16.04.3 LTS (Xenial Xerus)"
  
  sssd Version: 1.13.4-1ubuntu1.8
  
  I'm sometimes seeing AD users denied access to a machine due to HBAC
  access rules:
  
  (Tue Oct  3 04:11:09 2017) [sssd[be[nwra.com]]]
  [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules
  
  Upstream suggest applying this commit:
  
  https://pagure.io/SSSD/sssd/c/88f6d8ad4eef4b4fa032fd451ad732cf8201b0bf
  
  That was made on the 1.13 branch but not yet released.  More here:
  
  https://lists.fedorahosted.org/archives/list/sssd-
  users at lists.fedorahosted.org/message/YIHC2C6JDNQLYMW7K7IXQKKIIRMO3QER/
  
  I'm currently testing out a local package with this patch.

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1722936

Title:
  sssd hbac rule applicaton for AD users is inconsistent

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1722936/+subscriptions

More information about the Ubuntu-server-bugs mailing list