| 2017-10-11 21:44:48 |
Orion-cora |
bug |
|
|
added bug |
| 2017-10-13 20:35:51 |
Andreas Hasenack |
sssd (Ubuntu): status |
New |
Triaged |
|
| 2017-10-13 20:35:58 |
Andreas Hasenack |
sssd (Ubuntu): importance |
Undecided |
Low |
|
| 2017-10-13 20:36:08 |
Andreas Hasenack |
tags |
|
bitesize |
|
| 2017-11-27 16:55:59 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~orion-cora/ubuntu/+source/sssd/+git/sssd/+merge/334317 |
|
| 2019-02-06 22:41:37 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~orion-cora/ubuntu/+source/sssd/+git/sssd/+merge/362837 |
|
| 2019-02-07 10:49:48 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Server |
| 2019-02-07 10:50:28 |
Robie Basak |
tags |
bitesize |
bitesize server-next |
|
| 2019-02-07 19:58:24 |
Andreas Hasenack |
description |
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
sssd Version: 1.13.4-1ubuntu1.8
I'm sometimes seeing AD users denied access to a machine due to HBAC access rules:
(Tue Oct 3 04:11:09 2017) [sssd[be[nwra.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules
Upstream suggest applying this commit:
https://pagure.io/SSSD/sssd/c/88f6d8ad4eef4b4fa032fd451ad732cf8201b0bf
That was made on the 1.13 branch but not yet released. More here:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/message/YIHC2C6JDNQLYMW7K7IXQKKIIRMO3QER/
I'm currently testing out a local package with this patch. |
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
sssd Version: 1.13.4-1ubuntu1.8
I'm sometimes seeing AD users denied access to a machine due to HBAC access rules:
(Tue Oct 3 04:11:09 2017) [sssd[be[nwra.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules
Upstream suggest applying this commit:
https://pagure.io/SSSD/sssd/c/88f6d8ad4eef4b4fa032fd451ad732cf8201b0bf
That was made on the 1.13 branch but not yet released. More here:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/message/YIHC2C6JDNQLYMW7K7IXQKKIIRMO3QER/
I'm currently testing out a local package with this patch. |
|
| 2019-02-07 20:08:34 |
Andreas Hasenack |
description |
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
* detailed instructions how to reproduce the bug
* these should allow someone who is not familiar with the affected
package to reproduce the bug and verify that the updated package fixes
the problem.
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
sssd Version: 1.13.4-1ubuntu1.8
I'm sometimes seeing AD users denied access to a machine due to HBAC access rules:
(Tue Oct 3 04:11:09 2017) [sssd[be[nwra.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules
Upstream suggest applying this commit:
https://pagure.io/SSSD/sssd/c/88f6d8ad4eef4b4fa032fd451ad732cf8201b0bf
That was made on the 1.13 branch but not yet released. More here:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/message/YIHC2C6JDNQLYMW7K7IXQKKIIRMO3QER/
I'm currently testing out a local package with this patch. |
[Impact]
From the upstream bug at https://pagure.io/SSSD/sssd/issue/3382:
"""
In IPA-AD trust environment, sssd is intermittently failing to map AD user
group with IPA POSIX group hence getting access denied due to HBAC rules. The issue gets resolved automatically after certain time, without restarting the sssd service. i.e:
The IPA HBAC code used to read the group members from the the
originalMemberOf attribute value for performance reasons. However,
especially on IPA clients trusting an AD domain, the originalMemberOf
attribute value is often not synchronized correctly.
"""
[Test Case]
Coming up with a simple test case is not feasable. Even upstream wasn't able to reliably reproduce the issue in a controlled manner. My best suggestion is for affected users to try the updated package and observe if the incorrect access denied error stops happening.
This involves setting up an AD server, a FreeIPA one, creating trust between them, and nested groups and HBAC rules. Upstream's description of such a scenario is at https://github.com/SSSD/sssd/pull/309#issuecomment-318037063
[Regression Potential]
The patch changes how group membership in this scenario is computed. It's a complex setup, and we are relying on a) patch has been applied upstream and backported to 1.13; b) user who reported this bug confirmed it fixed the issue with a custom build he did; c) upstream test suite passed; d) dep8 tests (new with this SRU) also pass.
[Other Info]
The scenario where the bug happens is too complex to reproduce in a test case, but does happen out in the wild according to this report and also in upstream's bug tracker. I decided to add the DEP8 tests to this update as well to give extra confidence in this and future updates, even though it doesn't exercise this bug in particular.
[Original Description]
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
sssd Version: 1.13.4-1ubuntu1.8
I'm sometimes seeing AD users denied access to a machine due to HBAC access rules:
(Tue Oct 3 04:11:09 2017) [sssd[be[nwra.com]]] [ipa_hbac_evaluate_rules] (0x0080): Access denied by HBAC rules
Upstream suggest applying this commit:
https://pagure.io/SSSD/sssd/c/88f6d8ad4eef4b4fa032fd451ad732cf8201b0bf
That was made on the 1.13 branch but not yet released. More here:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/message/YIHC2C6JDNQLYMW7K7IXQKKIIRMO3QER/
I'm currently testing out a local package with this patch. |
|
| 2019-03-08 11:16:36 |
Timo Aaltonen |
nominated for series |
|
Ubuntu Xenial |
|
| 2019-03-08 11:16:36 |
Timo Aaltonen |
bug task added |
|
sssd (Ubuntu Xenial) |
|
| 2019-03-08 11:17:06 |
Timo Aaltonen |
sssd (Ubuntu): status |
Triaged |
Fix Released |
|
| 2019-03-08 11:17:35 |
Timo Aaltonen |
sssd (Ubuntu Xenial): status |
New |
Fix Committed |
|
| 2019-03-08 11:17:36 |
Timo Aaltonen |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2019-03-08 11:17:39 |
Timo Aaltonen |
bug |
|
|
added subscriber SRU Verification |
| 2019-03-08 11:17:42 |
Timo Aaltonen |
tags |
bitesize server-next |
bitesize server-next verification-needed verification-needed-xenial |
|
| 2019-04-13 20:48:20 |
Mathew Hodson |
sssd (Ubuntu Xenial): importance |
Undecided |
Low |
|
| 2019-04-29 15:59:10 |
Orion-cora |
tags |
bitesize server-next verification-needed verification-needed-xenial |
bitesize server-next verification-done-xenial verification-needed |
|
| 2019-04-30 15:54:14 |
Launchpad Janitor |
sssd (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2019-04-30 15:54:30 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
