sssd hbac rule applicaton for AD users is inconsistent

Bug #1722936 reported by Orion-cora on 2017-10-11
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)

Bug Description

From the upstream bug at
In IPA-AD trust environment, sssd is intermittently failing to map AD user
group with IPA POSIX group hence getting access denied due to HBAC rules. The issue gets resolved automatically after certain time, without restarting the sssd service. i.e:

The IPA HBAC code used to read the group members from the the
originalMemberOf attribute value for performance reasons. However,
especially on IPA clients trusting an AD domain, the originalMemberOf
attribute value is often not synchronized correctly.

[Test Case]
Coming up with a simple test case is not feasable. Even upstream wasn't able to reliably reproduce the issue in a controlled manner. My best suggestion is for affected users to try the updated package and observe if the incorrect access denied error stops happening.

This involves setting up an AD server, a FreeIPA one, creating trust between them, and nested groups and HBAC rules. Upstream's description of such a scenario is at

[Regression Potential]
The patch changes how group membership in this scenario is computed. It's a complex setup, and we are relying on a) patch has been applied upstream and backported to 1.13; b) user who reported this bug confirmed it fixed the issue with a custom build he did; c) upstream test suite passed; d) dep8 tests (new with this SRU) also pass.

[Other Info]
The scenario where the bug happens is too complex to reproduce in a test case, but does happen out in the wild according to this report and also in upstream's bug tracker. I decided to add the DEP8 tests to this update as well to give extra confidence in this and future updates, even though it doesn't exercise this bug in particular.

[Original Description]
VERSION="16.04.3 LTS (Xenial Xerus)"

sssd Version: 1.13.4-1ubuntu1.8

I'm sometimes seeing AD users denied access to a machine due to HBAC access rules:

(Tue Oct 3 04:11:09 2017) [sssd[be[]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules

Upstream suggest applying this commit:

That was made on the 1.13 branch but not yet released. More here:

https://<email address hidden>/message/YIHC2C6JDNQLYMW7K7IXQKKIIRMO3QER/

I'm currently testing out a local package with this patch.

Related branches

Andreas Hasenack (ahasenack) wrote :

Thanks for filing this bug in Ubuntu.

It looks like you are familiar with Ubuntu/Debian development. Do you think you would be able to make a merge proposal against this git branch for xenial?

If you are familiar with git and Ubuntu development, you can use our git workflow and the git-ubuntu helper tool.

Something like this, on a fresh xenial VM to show the setup steps:

$ sudo snap install git-ubuntu --classic
$ mkdir -p git/packages
$ cd git/packages
$ git ubuntu clone sssd
$ cd sssd
$ git checkout -b xenial-sssd-hbac-rule-1722936 pkg/ubuntu/xenial-devel

code away

$ git ubuntu submit

More information about this tool can be found in this blog post:

Changed in sssd (Ubuntu):
status: New → Triaged
importance: Undecided → Low
tags: added: bitesize
Orion-cora (orion-cora) wrote :

I just started to try to do this - but it looks like the pkg/ubuntu/xenial-devel branch is at 1.13.4-1ubuntu1.8, but 1.13.4-1ubuntu1.9 has been released. Can that branch be updated?

Andreas Hasenack (ahasenack) wrote :

Hm, you are right, something must have happened with the importer. I'll email ubuntu-server@ requesting for that branch to be updated and the importer checked.


Andreas Hasenack (ahasenack) wrote :

we restarted the importer and it's catching up. Should be up-to-date soon, later today.

I beg your pardon as it is great to see people participate.
Of course in that cases all kind of usual teething troubles hit :-/

I took the importer from beta and ran it test-wise - it imported it just fine.
So I ran it again including a push to the repo.
A subsequent git ubuntu clone had the most recent version as it should have had.

I hope this unblocks you.

Andreas Hasenack (ahasenack) wrote :

Your freeipa server, is that on ubuntu or redhat/centos/fedora?

I deployed ubuntu's latest freeipa package (in bionic), but ran into some issues that I think come from some rh'isms that do not apply to debian systems and couldn't add a trust relationship to my test AD server. My next step would be to use a fedora vm and deploy freeipa there.

Orion-cora (orion-cora) wrote :

Server is EL 7.4.

Timo Aaltonen (tjaalton) wrote :

please file bugs for RH'isms you find in freeipa, I have no AD to test against

that said, 4.6.2 will soon hit bionic

Thanks Timo, will do.

On Wed, Jan 3, 2018 at 6:50 AM, Timo Aaltonen <email address hidden> wrote:

> please file bugs for RH'isms you find in freeipa, I have no AD to test
> against
> that said, 4.6.2 will soon hit bionic
> --
> You received this bug notification because you are subscribed to sssd in
> Ubuntu.
> Title:
> sssd hbac rule applicaton for AD users is inconsistent
> To manage notifications about this bug go to:

Robie Basak (racb) on 2019-02-07
tags: added: server-next
Andreas Hasenack (ahasenack) wrote :

Thank you. This fell through last time, apologies for that. I'm taking a look today.

Orion-cora (orion-cora) wrote :

Thank you. I'll probably have another one after this to deal with issues with sssh key lookup fixed by

Andreas Hasenack (ahasenack) wrote :

I also chose to bring in the DEP8 tests we added to the package in later ubuntu releases, to give more confidence in this and upcoming SRUs.

description: updated
description: updated
Timo Aaltonen (tjaalton) wrote :

should be fixed bionic and up

Changed in sssd (Ubuntu):
status: Triaged → Fix Released
Changed in sssd (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed verification-needed-xenial

Hello Orion-cora, or anyone else affected,

Accepted sssd into xenial-proposed. The package will build now and be available at in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Andreas Hasenack (ahasenack) wrote :

This update will soon be removed from proposed if there is no testing done.

@orion-cora, I know you submitted this mp a long time ago, we lost it, then you submitted again, and we thank you for that. Do you think you could try out the packages from -proposed?

Orion-cora (orion-cora) wrote :

I've installed the version from -proposed now. So far so good.

Orion-cora (orion-cora) wrote :

Actually, there seems to be a conflict with freeaip-client (+python-ipaclient python-ipalib python-libipa-hba) and this version of sssd.

Orion-cora (orion-cora) wrote :

Sorry - freeipa-client

Andreas Hasenack (ahasenack) wrote :

What kind of conflict?

Are all your packages from ubuntu xenial?

Orion-cora (orion-cora) wrote :

Hmm, perhaps I was just missing all the different -proposed repositories - as after adding universe and multiverse I don't seem to have the problem any more

Changed in sssd (Ubuntu Xenial):
importance: Undecided → Low
Andreas Hasenack (ahasenack) wrote :

Hi @orion-cora, if everything is still fine, would you mind adjusting the tags in this bug according to comment #16? Thanks

Orion-cora (orion-cora) on 2019-04-29
tags: added: verification-done-xenial
removed: verification-needed-xenial
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.13.4-1ubuntu1.13

sssd (1.13.4-1ubuntu1.13) xenial; urgency=medium

  [Orion Poplawski]
  * Add upstream HBAC patch. Closes LP: #1722936.

  [Andreas Hasenack]
  * d/t/{common-tests,control,ldap-user-group-*-auth,login.exp,util}: add DEP8
    tests from later releases of Ubuntu (LP: #1793882)

 -- Andreas Hasenack <email address hidden> Fri, 08 Feb 2019 15:08:44 -0200

Changed in sssd (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for sssd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers