[Bug 1722936] Re: sssd hbac rule applicaton for AD users is inconsistent
** Description changed: [Impact] + From the upstream bug at https://pagure.io/SSSD/sssd/issue/3382: + """ + In IPA-AD trust environment, sssd is intermittently failing to map AD user + group with IPA POSIX group hence getting access denied due to HBAC rules. The issue gets resolved automatically after certain time, without restarting the sssd service. i.e: - * An explanation of the effects of the bug on users and + The IPA HBAC code used to read the group members from the the + originalMemberOf attribute value for performance reasons. However, + especially on IPA clients trusting an AD domain, the originalMemberOf + attribute value is often not synchronized correctly. + """ - * justification for backporting the fix to the stable release. - - * In addition, it is helpful, but not required, to include an -explanation of how the upload fixes this bug. [Test Case] + Coming up with a simple test case is not feasable. Even upstream wasn't able to reliably reproduce the issue in a controlled manner. My best suggestion is for affected users to try the updated package and observe if the incorrect access denied error stops happening. - * detailed instructions how to reproduce the bug - - * these should allow someone who is not familiar with the affected -package to reproduce the bug and verify that the updated package fixes -the problem. + This involves setting up an AD server, a FreeIPA one, creating trust + between them, and nested groups and HBAC rules. Upstream's description + of such a scenario is at + https://github.com/SSSD/sssd/pull/309#issuecomment-318037063 [Regression Potential] - - * discussion of how regressions are most likely to manifest as a result - of this change. - - * It is assumed that any SRU candidate patch is well-tested before -upload and has a low overall risk of regression, but it's important -to make the effort to think about what ''could'' happen in the -event of a regression. - - * This both shows the SRU team that the risks have been considered, -and provides guidance to testers in regression-testing the SRU. + The patch changes how group membership in this scenario is computed. It's a complex setup, and we are relying on a) patch has been applied upstream and backported to 1.13; b) user who reported this bug confirmed it fixed the issue with a custom build he did; c) upstream test suite passed; d) dep8 tests (new with this SRU) also pass. [Other Info] - - * Anything else you think is useful to include - * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board - * and address these questions in advance - + The scenario where the bug happens is too complex to reproduce in a test case, but does happen out in the wild according to this report and also in upstream's bug tracker. I decided to add the DEP8 tests to this update as well to give extra confidence in this and future updates, even though it doesn't exercise this bug in particular. [Original Description] NAME="Ubuntu" VERSION="16.04.3 LTS (Xenial Xerus)" sssd Version: 1.13.4-1ubuntu1.8 I'm sometimes seeing AD users denied access to a machine due to HBAC access rules: (Tue Oct 3 04:11:09 2017) [sssd[be[nwra.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules Upstream suggest applying this commit: https://pagure.io/SSSD/sssd/c/88f6d8ad4eef4b4fa032fd451ad732cf8201b0bf That was made on the 1.13 branch but not yet released. More here: https://lists.fedorahosted.org/archives/list/sssd- us...@lists.fedorahosted.org/message/YIHC2C6JDNQLYMW7K7IXQKKIIRMO3QER/ I'm currently testing out a local package with this patch. -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1722936 Title: sssd hbac rule applicaton for AD users is inconsistent To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1722936/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1722936] Re: sssd hbac rule applicaton for AD users is inconsistent
** Description changed: + [Impact] + + * An explanation of the effects of the bug on users and + + * justification for backporting the fix to the stable release. + + * In addition, it is helpful, but not required, to include an +explanation of how the upload fixes this bug. + + [Test Case] + + * detailed instructions how to reproduce the bug + + * these should allow someone who is not familiar with the affected +package to reproduce the bug and verify that the updated package fixes +the problem. + + [Regression Potential] + + * discussion of how regressions are most likely to manifest as a result + of this change. + + * It is assumed that any SRU candidate patch is well-tested before +upload and has a low overall risk of regression, but it's important +to make the effort to think about what ''could'' happen in the +event of a regression. + + * This both shows the SRU team that the risks have been considered, +and provides guidance to testers in regression-testing the SRU. + + [Other Info] + + * Anything else you think is useful to include + * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board + * and address these questions in advance + + + [Original Description] NAME="Ubuntu" VERSION="16.04.3 LTS (Xenial Xerus)" sssd Version: 1.13.4-1ubuntu1.8 I'm sometimes seeing AD users denied access to a machine due to HBAC access rules: (Tue Oct 3 04:11:09 2017) [sssd[be[nwra.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules Upstream suggest applying this commit: https://pagure.io/SSSD/sssd/c/88f6d8ad4eef4b4fa032fd451ad732cf8201b0bf That was made on the 1.13 branch but not yet released. More here: https://lists.fedorahosted.org/archives/list/sssd- us...@lists.fedorahosted.org/message/YIHC2C6JDNQLYMW7K7IXQKKIIRMO3QER/ I'm currently testing out a local package with this patch. -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1722936 Title: sssd hbac rule applicaton for AD users is inconsistent To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1722936/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1108935] Re: [MIR] websockify, spice-html5
** Also affects: nova (Ubuntu) Importance: Undecided Status: New ** Changed in: nova (Ubuntu) Status: New => Triaged ** Changed in: nova (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to websockify in Ubuntu. https://bugs.launchpad.net/bugs/1108935 Title: [MIR] websockify, spice-html5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1108935/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1722936] Re: sssd hbac rule applicaton for AD users is inconsistent
I also chose to bring in the DEP8 tests we added to the package in later ubuntu releases, to give more confidence in this and upcoming SRUs. -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1722936 Title: sssd hbac rule applicaton for AD users is inconsistent To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1722936/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1722936] Re: sssd hbac rule applicaton for AD users is inconsistent
Thank you. This fell through last time, apologies for that. I'm taking a look today. -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1722936 Title: sssd hbac rule applicaton for AD users is inconsistent To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1722936/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1770532] Re: DKIM signing not working in bionic
** Merge proposal unlinked: https://code.launchpad.net/~kstenerud/ubuntu/+source/amavisd-new/+git/amavisd-new/+merge/362855 -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1770532 Title: DKIM signing not working in bionic To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/amavisd-new/+bug/1770532/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1814900] Re: Please merge 1:2.11.0-5 into disco
** Merge proposal linked: https://code.launchpad.net/~kstenerud/ubuntu/+source/amavisd-new/+git/amavisd-new/+merge/362855 ** Changed in: amavisd-new (Ubuntu) Assignee: (unassigned) => Karl Stenerud (kstenerud) ** Changed in: amavisd-new (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to amavisd-new in Ubuntu. https://bugs.launchpad.net/bugs/1814900 Title: Please merge 1:2.11.0-5 into disco To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/amavisd-new/+bug/1814900/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs