[Group.of.nepali.translators] [Bug 1722936] Re: sssd hbac rule applicaton for AD users is inconsistent

2019-04-30 Thread Launchpad Bug Tracker
This bug was fixed in the package sssd - 1.13.4-1ubuntu1.13

---
sssd (1.13.4-1ubuntu1.13) xenial; urgency=medium

  [Orion Poplawski]
  * Add upstream HBAC patch.  Closes LP: #1722936.

  [Andreas Hasenack]
  * d/t/{common-tests,control,ldap-user-group-*-auth,login.exp,util}: add DEP8
tests from later releases of Ubuntu (LP: #1793882)

 -- Andreas Hasenack   Fri, 08 Feb 2019 15:08:44
-0200

** Changed in: sssd (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1722936

Title:
  sssd hbac rule applicaton for AD users is inconsistent

Status in sssd package in Ubuntu:
  Fix Released
Status in sssd source package in Xenial:
  Fix Released

Bug description:
  [Impact]
  From the upstream bug at https://pagure.io/SSSD/sssd/issue/3382:
  """
  In IPA-AD trust environment, sssd is intermittently failing to map AD user
  group with IPA POSIX group hence getting access denied due to HBAC rules. The 
issue gets resolved automatically after certain time, without restarting the 
sssd service. i.e:

  The IPA HBAC code used to read the group members from the the
  originalMemberOf attribute value for performance reasons. However,
  especially on IPA clients trusting an AD domain, the originalMemberOf
  attribute value is often not synchronized correctly.
  """

  
  [Test Case]
  Coming up with a simple test case is not feasable. Even upstream wasn't able 
to reliably reproduce the issue in a controlled manner. My best suggestion is 
for affected users to try the updated package and observe if the incorrect 
access denied error stops happening.

  This involves setting up an AD server, a FreeIPA one, creating trust
  between them, and nested groups and HBAC rules. Upstream's description
  of such a scenario is at
  https://github.com/SSSD/sssd/pull/309#issuecomment-318037063

  [Regression Potential]
  The patch changes how group membership in this scenario is computed. It's a 
complex setup, and we are relying on a) patch has been applied upstream and 
backported to 1.13; b) user who reported this bug confirmed it fixed the issue 
with a custom build he did; c) upstream test suite passed; d) dep8 tests (new 
with this SRU) also pass.

  [Other Info]
  The scenario where the bug happens is too complex to reproduce in a test 
case, but does happen out in the wild according to this report and also in 
upstream's bug tracker. I decided to add the DEP8 tests to this update as well 
to give extra confidence in this and future updates, even though it doesn't 
exercise this bug in particular.

  [Original Description]
  NAME="Ubuntu"
  VERSION="16.04.3 LTS (Xenial Xerus)"

  sssd Version: 1.13.4-1ubuntu1.8

  I'm sometimes seeing AD users denied access to a machine due to HBAC
  access rules:

  (Tue Oct  3 04:11:09 2017) [sssd[be[nwra.com]]]
  [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules

  Upstream suggest applying this commit:

  https://pagure.io/SSSD/sssd/c/88f6d8ad4eef4b4fa032fd451ad732cf8201b0bf

  That was made on the 1.13 branch but not yet released.  More here:

  https://lists.fedorahosted.org/archives/list/sssd-
  us...@lists.fedorahosted.org/message/YIHC2C6JDNQLYMW7K7IXQKKIIRMO3QER/

  I'm currently testing out a local package with this patch.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1722936/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp


[Group.of.nepali.translators] [Bug 1722936] Re: sssd hbac rule applicaton for AD users is inconsistent

2019-03-08 Thread Timo Aaltonen
should be fixed bionic and up

** Also affects: sssd (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: sssd (Ubuntu)
   Status: Triaged => Fix Released

** Changed in: sssd (Ubuntu Xenial)
   Status: New => Fix Committed

** Tags added: verification-needed verification-needed-xenial

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1722936

Title:
  sssd hbac rule applicaton for AD users is inconsistent

Status in sssd package in Ubuntu:
  Fix Released
Status in sssd source package in Xenial:
  Fix Committed

Bug description:
  [Impact]
  From the upstream bug at https://pagure.io/SSSD/sssd/issue/3382:
  """
  In IPA-AD trust environment, sssd is intermittently failing to map AD user
  group with IPA POSIX group hence getting access denied due to HBAC rules. The 
issue gets resolved automatically after certain time, without restarting the 
sssd service. i.e:

  The IPA HBAC code used to read the group members from the the
  originalMemberOf attribute value for performance reasons. However,
  especially on IPA clients trusting an AD domain, the originalMemberOf
  attribute value is often not synchronized correctly.
  """

  
  [Test Case]
  Coming up with a simple test case is not feasable. Even upstream wasn't able 
to reliably reproduce the issue in a controlled manner. My best suggestion is 
for affected users to try the updated package and observe if the incorrect 
access denied error stops happening.

  This involves setting up an AD server, a FreeIPA one, creating trust
  between them, and nested groups and HBAC rules. Upstream's description
  of such a scenario is at
  https://github.com/SSSD/sssd/pull/309#issuecomment-318037063

  [Regression Potential]
  The patch changes how group membership in this scenario is computed. It's a 
complex setup, and we are relying on a) patch has been applied upstream and 
backported to 1.13; b) user who reported this bug confirmed it fixed the issue 
with a custom build he did; c) upstream test suite passed; d) dep8 tests (new 
with this SRU) also pass.

  [Other Info]
  The scenario where the bug happens is too complex to reproduce in a test 
case, but does happen out in the wild according to this report and also in 
upstream's bug tracker. I decided to add the DEP8 tests to this update as well 
to give extra confidence in this and future updates, even though it doesn't 
exercise this bug in particular.

  [Original Description]
  NAME="Ubuntu"
  VERSION="16.04.3 LTS (Xenial Xerus)"

  sssd Version: 1.13.4-1ubuntu1.8

  I'm sometimes seeing AD users denied access to a machine due to HBAC
  access rules:

  (Tue Oct  3 04:11:09 2017) [sssd[be[nwra.com]]]
  [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules

  Upstream suggest applying this commit:

  https://pagure.io/SSSD/sssd/c/88f6d8ad4eef4b4fa032fd451ad732cf8201b0bf

  That was made on the 1.13 branch but not yet released.  More here:

  https://lists.fedorahosted.org/archives/list/sssd-
  us...@lists.fedorahosted.org/message/YIHC2C6JDNQLYMW7K7IXQKKIIRMO3QER/

  I'm currently testing out a local package with this patch.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1722936/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp