** Description changed: [Impact] + From the upstream bug at https://pagure.io/SSSD/sssd/issue/3382: + """ + In IPA-AD trust environment, sssd is intermittently failing to map AD user + group with IPA POSIX group hence getting access denied due to HBAC rules. The issue gets resolved automatically after certain time, without restarting the sssd service. i.e: - * An explanation of the effects of the bug on users and + The IPA HBAC code used to read the group members from the the + originalMemberOf attribute value for performance reasons. However, + especially on IPA clients trusting an AD domain, the originalMemberOf + attribute value is often not synchronized correctly. + """ - * justification for backporting the fix to the stable release. - - * In addition, it is helpful, but not required, to include an - explanation of how the upload fixes this bug. [Test Case] + Coming up with a simple test case is not feasable. Even upstream wasn't able to reliably reproduce the issue in a controlled manner. My best suggestion is for affected users to try the updated package and observe if the incorrect access denied error stops happening. - * detailed instructions how to reproduce the bug - - * these should allow someone who is not familiar with the affected - package to reproduce the bug and verify that the updated package fixes - the problem. + This involves setting up an AD server, a FreeIPA one, creating trust + between them, and nested groups and HBAC rules. Upstream's description + of such a scenario is at + https://github.com/SSSD/sssd/pull/309#issuecomment-318037063 [Regression Potential] - - * discussion of how regressions are most likely to manifest as a result - of this change. - - * It is assumed that any SRU candidate patch is well-tested before - upload and has a low overall risk of regression, but it's important - to make the effort to think about what ''could'' happen in the - event of a regression. - - * This both shows the SRU team that the risks have been considered, - and provides guidance to testers in regression-testing the SRU. + The patch changes how group membership in this scenario is computed. It's a complex setup, and we are relying on a) patch has been applied upstream and backported to 1.13; b) user who reported this bug confirmed it fixed the issue with a custom build he did; c) upstream test suite passed; d) dep8 tests (new with this SRU) also pass. [Other Info] - - * Anything else you think is useful to include - * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board - * and address these questions in advance - + The scenario where the bug happens is too complex to reproduce in a test case, but does happen out in the wild according to this report and also in upstream's bug tracker. I decided to add the DEP8 tests to this update as well to give extra confidence in this and future updates, even though it doesn't exercise this bug in particular. [Original Description] NAME="Ubuntu" VERSION="16.04.3 LTS (Xenial Xerus)" sssd Version: 1.13.4-1ubuntu1.8 I'm sometimes seeing AD users denied access to a machine due to HBAC access rules: (Tue Oct 3 04:11:09 2017) [sssd[be[nwra.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules Upstream suggest applying this commit: https://pagure.io/SSSD/sssd/c/88f6d8ad4eef4b4fa032fd451ad732cf8201b0bf That was made on the 1.13 branch but not yet released. More here: https://lists.fedorahosted.org/archives/list/sssd- us...@lists.fedorahosted.org/message/YIHC2C6JDNQLYMW7K7IXQKKIIRMO3QER/ I'm currently testing out a local package with this patch.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1722936 Title: sssd hbac rule applicaton for AD users is inconsistent To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1722936/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
