ad: gpo evalute host groups

[sumit-bose]

With this patch the group-memberships of the client running SSSD are
included in the evaluation of the security filtering. Similar as in AD the
host object is more or less handled as a user object which allows to skip
some code dedicated to computers only.

Resolves: #5708

[alexey-tikhonov]

https://issues.redhat.com/browse/RHEL-15368

[thalman]

Looks good, see my nitpicking comment.

Thanks

[justin-stephenson]

Ack, thank you.

[thalman]

ACK, thanks for the Patch

[alexey-tikhonov]

test_sss_overrides__overriding_username_and_posix_attributes (samba) failed in previous run

 >       assert client.auth.ssh.password("user1", "Secret123")
E       AssertionError: assert False
E        +  where False = <function SSHAuthenticationUtils.password at 0x7f813578add0>('user1', 'Secret123')
E        +    where <function SSHAuthenticationUtils.password at 0x7f813578add0> = <sssd_test_framework.utils.authentication.SSHAuthenticationUtils object at 0x7f81350debc0>.password
E        +      where <sssd_test_framework.utils.authentication.SSHAuthenticationUtils object at 0x7f81350debc0> = <sssd_test_framework.utils.authentication.AuthenticationUtils object at 0x7f81350de4a0>.ssh
E        +        where <sssd_test_framework.utils.authentication.AuthenticationUtils object at 0x7f81350de4a0> = <sssd_test_framework.roles.client.Client object at 0x7f81350dd2a0>.auth

[alexey-tikhonov]

test_sss_overrides__overriding_username_and_posix_attributes (samba) failed in previous run

It failed again (all platforms):

client.test Executing command #7544
      Host: client.test
      Shell: /usr/bin/bash -c
      User: root
      Command: su --shell /bin/sh nobody -c "/bin/expect -d"
      Input: |

                    # It takes some time to get authentication failure
                    set timeout 20
                    set prompt "\n.*\[#\$>\] $"

                    spawn ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
                        -o PreferredAuthentications=password \
                        -o NumberOfPasswordPrompts=1 \
                        -l "user1" localhost

                    expect {
                        "password:" {send "Secret123\n"}
                        timeout {puts "expect result: Unexpected output"; exit 201}
                        eof {puts "expect result: Unexpected end of file"; exit 202}
                    }

                    expect {
                        -re $prompt {puts "expect result: Password authentication successful"; exit 0}
                        "user1@localhost: Permission denied" {puts "expect result: Authentication failure"; exit 1}
                        "Connection closed by UNKNOWN port 65535" {puts "expect result: Connection closed"; exit 2}
                        timeout {puts "expect result: Unexpected output"; exit 201}
                        eof {puts "expect result: Unexpected end of file"; exit 202}
                    }

                    puts "expect result: Unexpected code path"
                    exit 203

      Working directory: None
      Extra environment:

  client.test Previous command completed with exit code 2
      Output: |
        spawn ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PreferredAuthentications=password -o NumberOfPasswordPrompts=1 -l user1 localhost
        Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.^M                                                    user1@localhost's password: 
        Connection closed by UNKNOWN port 65535
        expect result: Connection closed
      Error output: |
        expect version 5.45.4
        argv[0] = /bin/expect  argv[1] = -d  
        set argc 0
        set argv0 "/bin/expect"
        set argv ""
        executing commands from command file
        parent: waiting for sync byte
        parent: telling child to go ahead
        parent: now unsynchronized from child
        spawn: returns {252376}

        expect: does "" (spawn_id exp3) match glob pattern "password:"? no

        expect: does "Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.\r\r\n" (spawn_id exp3) match glob pattern "password:"? no

        expect: does "Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.\r\r\n\ruser1@localhost's password: " (spawn_id exp3) match glob pattern "password:"? yes
        expect: set expect_out(0,string) "password:"
        expect: set expect_out(spawn_id) "exp3"
        expect: set expect_out(buffer) "Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.\r\r\n\ruser1@localhost's password:"
        send: sending "Secret123\n" to { exp3 }
        Gate keeper glob pattern for 
        .*[#$>] $' is 
        * '. Activating booster

        expect: does " " (spawn_id exp3) match regular expression "\n.*[#$>] $"? Gate "\n* "? gate=no
        "user1@localhost: Permission denied"? no
        "Connection closed by UNKNOWN port 65535"? no

        expect: does " \r\n" (spawn_id exp3) match regular expression "\n.*[#$>] $"? Gate "\n* "? gate=no
        "user1@localhost: Permission denied"? no
        "Connection closed by UNKNOWN port 65535"? no

        expect: does " \r\nConnection closed by UNKNOWN port 65535\r\r\n" (spawn_id exp3) match regular expression "\n.*[#$>] $"? Gate "\n* "? gate=yes re=no
        "user1@localhost: Permission denied"? no
        "Connection closed by UNKNOWN port 65535"? yes
        expect: set expect_out(0,string) "Connection closed by UNKNOWN port 65535"
        expect: set expect_out(spawn_id) "exp3"
        expect: set expect_out(buffer) " \r\nConnection closed by UNKNOWN port 65535"

@sumit-bose, please take a look.

[alexey-tikhonov]

SSSD logs:

• sssd_pam.log:

(2024-01-08 16:03:00): [pam] [pam_initgr_check_timeout] (0x2000): [CID#2] User [user1] found in PAM cache.
(2024-01-08 16:03:00): [pam] [pam_dp_send_req] (0x0100): [CID#2] Sending request with the following data:
(2024-01-08 16:03:00): [pam] [pam_print_data] (0x0100): [CID#2] command: SSS_PAM_ACCT_MGMT
(2024-01-08 16:03:00): [pam] [pam_print_data] (0x0100): [CID#2] domain: test
(2024-01-08 16:03:00): [pam] [pam_print_data] (0x0100): [CID#2] user: user1@test
...
(2024-01-08 16:03:00): [pam] [pam_dom_forwarder] (0x0100): [CID#2] pam_dp_send_req returned 0
...
(2024-01-08 16:03:00): [pam] [pam_dp_send_req_done] (0x0200): [CID#2] received: [4 (System error)][test]
(2024-01-08 16:03:00): [pam] [pam_reply] (0x4000): [CID#2] pam_reply initially called with result [4]: System error. this result might be changed during proce
ssing
(2024-01-08 16:03:00): [pam] [pam_reply] (0x0400): [CID#2] Local auth policy allowed: smartcard [False], passkey [True]
(2024-01-08 16:03:00): [pam] [pam_reply] (0x0200): [CID#2] blen: 21
(2024-01-08 16:03:00): [pam] [pam_reply] (0x0200): [CID#2] Returning [4]: System error to the client

• domain log:

[dp_attach_req] (0x0400): [RID#9] DP Request [PAM Account #9]: REQ_TRACE: New request. [sssd.pam CID #2] Flags [0000].
[dp_attach_req] (0x0400): [RID#9] Number of active DP request: 1
[sss_domain_get_state] (0x1000): [RID#9] Domain test is Active
[sdap_access_send] (0x0400): [RID#9] Performing access check for user [user1@test]
[sdap_account_expired_ad] (0x0400): [RID#9] Performing AD access check for user [user1@test]
[sdap_account_expired_ad] (0x4000): [RID#9] User account control for user [user1@test] is [200].
[sdap_account_expired_ad] (0x4000): [RID#9] Expiration time for user [user1@test] is [9223372036854775807].
[ad_gpo_access_send] (0x0400): [RID#9] service sshd maps to Remote Interactive
[sdap_id_op_connect_step] (0x4000): [RID#9] reusing cached connection
[sdap_id_conn_data_not_idle] (0x4000): [RID#9] Marking connection as not idle
[ad_gpo_connect_done] (0x4000): [RID#9] server_hostname from uri: dc.samba.test
[ad_gpo_connect_done] (0x0400): [RID#9] sam_account_name is CLIENT$
[sdap_id_op_connect_step] (0x4000): [RID#9] reusing cached connection
[sdap_id_conn_data_not_idle] (0x4000): [RID#9] Marking connection as not idle
[sdap_get_initgr_send] (0x4000): [RID#9] Retrieving info for initgroups call
[get_ldap_conn_from_sdom_pvt] (0x4000): [RID#9] Returning LDAP connection for user lookup.
[sdap_id_op_connect_step] (0x4000): [RID#9] reusing cached connection
[sdap_id_conn_data_not_idle] (0x4000): [RID#9] Marking connection as not idle
[sdap_get_initgr_next_base] (0x0400): [RID#9] Searching for users with base [DC=samba,DC=test]
[sdap_print_server] (0x2000): [RID#9] Searching 172.16.100.30:389
[sdap_get_generic_ext_step] (0x0400): [RID#9] calling ldap_search_ext with [(&(sAMAccountName=CLIENT$)(objectclass=user)(&(u
idNumber=*)(!(uidNumber=0))))][DC=samba,DC=test].
[sdap_get_generic_ext_step] (0x1000): [RID#9] Requesting attrs: [objectClass]
[sdap_get_generic_ext_step] (0x1000): [RID#9] Requesting attrs: [sAMAccountName]
...
[sdap_get_generic_ext_step] (0x1000): [RID#9] Requesting attrs: [altSecurityIdentities]
[sdap_get_generic_ext_step] (0x2000): [RID#9] ldap_search_ext called, msgid = 14
[sdap_op_add] (0x2000): [RID#9] New operation 14 timeout 6
[sdap_process_result] (0x2000): Trace: sh[0x55eabd36e8a0], connected[1], ops[0x55eabd390110], ldap[0x55eabd31bee0]
[sdap_process_message] (0x4000): [RID#9] Message type: [LDAP_RES_SEARCH_REFERENCE]
[sdap_get_generic_ext_add_references] (0x1000): [RID#9] Additional References: ldap://samba.test/CN=Configuration,DC=samba,DC=test
[sdap_process_result] (0x2000): Trace: sh[0x55eabd36e8a0], connected[1], ops[0x55eabd390110], ldap[0x55eabd31bee0]
[sdap_process_message] (0x4000): [RID#9] Message type: [LDAP_RES_SEARCH_REFERENCE]
[sdap_get_generic_ext_add_references] (0x1000): [RID#9] Additional References: ldap://samba.test/DC=DomainDnsZones,DC=samba,DC=test
[sdap_process_result] (0x2000): Trace: sh[0x55eabd36e8a0], connected[1], ops[0x55eabd390110], ldap[0x55eabd31bee0]
[sdap_process_message] (0x4000): [RID#9] Message type: [LDAP_RES_SEARCH_REFERENCE]
[sdap_get_generic_ext_add_references] (0x1000): [RID#9] Additional References: ldap://samba.test/DC=ForestDnsZones,DC=samba,DC=test
[sdap_process_result] (0x2000): Trace: sh[0x55eabd36e8a0], connected[1], ops[0x55eabd390110], ldap[0x55eabd31bee0]
[sdap_process_message] (0x4000): [RID#9] Message type: [LDAP_RES_SEARCH_RESULT]
[sdap_get_generic_op_finished] (0x0400): [RID#9] Search result: Success(0), no errmsg set
[sdap_op_destructor] (0x2000): [RID#9] Operation 14 finished
[generic_ext_search_handler] (0x4000): [RID#9] Request included referrals which were ignored.
[generic_ext_search_handler] (0x4000): [RID#9]     Ref: ldap://samba.test/CN=Configuration,DC=samba,DC=test
[generic_ext_search_handler] (0x4000): [RID#9]     Ref: ldap://samba.test/DC=DomainDnsZones,DC=samba,DC=test
[generic_ext_search_handler] (0x4000): [RID#9]     Ref: ldap://samba.test/DC=ForestDnsZones,DC=samba,DC=test
[sdap_get_initgr_user] (0x4000): [RID#9] Receiving info for the user
[sdap_id_op_destroy] (0x4000): [RID#9] releasing operation connection
[sdap_id_op_done] (0x4000): [RID#9] releasing operation connection
[sysdb_search_user_by_upn] (0x0400): [RID#9] No entry with upn [CLIENT$@test] found.
[sysdb_search_entry_by_sid_str] (0x0400): [RID#9] No such entry
[sysdb_search_object_attr] (0x0400): [RID#9] No such entry.
[sysdb_get_real_name] (0x0400): [RID#9] User [CLIENT$@test] is missing in cache
[groups_by_user_done] (0x2000): [RID#9] Failed to canonicalize name, using [CLIENT$@test] [2]: No such file or directory.
[sysdb_search_by_name] (0x0400): [RID#9] No such entry
[sysdb_cache_search_groups] (0x2000): [RID#9] Search groups with filter: (&(objectCategory=group)(ghost=CLIENT$@test))
[sysdb_cache_search_groups] (0x2000): [RID#9] No such entry
[sysdb_delete_user] (0x0400): [RID#9] Error: 2 (No such file or directory)
[ad_gpo_target_dn_retrieval_done] (0x0040): [RID#9] Unexpected number [0] of results searching for [CLIENT$], expected 1.
[sdap_id_op_destroy] (0x4000): [RID#9] releasing operation connection
[sdap_id_conn_data_idle] (0x4000): [RID#9] Marking connection as idle
[ad_gpo_access_done] (0x0040): [RID#9] GPO-based access control failed.

[alexey-tikhonov]

sam_account_name is CLIENT$ looks weird - like host instead of user object...

[sumit-bose]

sam_account_name is CLIENT$ looks weird - like host instead of user object...

Hi,

no, this is ok. The issue is the (&(uidNumber=*)(!(uidNumber=0)) part of the filter since the test is using ldap_id_mapping = False and the host does not need to have a UID of GID assigned. I'll try to fix this.

bye,
Sumit

[alexey-tikhonov]

sam_account_name is CLIENT$ looks weird - like host instead of user object...

no, this is ok. The issue is the (&(uidNumber=*)(!(uidNumber=0)) part of the filter since the test is using ldap_id_mapping = False and the host does not need to have a UID of GID assigned. I'll try to fix this.

Is this host object lookup?

Searching for users with base [DC=samba,DC=test] looks a bit misleading...

[alexey-tikhonov]

test_sss_overrides__overriding_username_and_posix_attributes (samba) still fails.

[sumit-bose]

Hi,

it's still failing, will extend the fix.

bye,
Sumit

[sumit-bose]

Hi,

test_sss_overrides__overriding_username_and_posix_attributes (samba) is passing now. The changes are completely in the new fourth patch.

bye,
Sumit

[thalman]

ACK for added commit.
Thanks Sumit

[justin-stephenson]

Ack, thank you.

[alexey-tikhonov]

F40 fails aren't relevant.

[alexey-tikhonov]

Pushed PR: #7107

• master
  • 5f63d9b - sdap: add set_non_posix parameter
  • ff23e7e - sysdb: remove sysdb_computer.[ch]
  • c02e09a - ad: gpo evalute host groups
  • 9b73614 - LDAP: make groups_by_user_send/recv public
• sssd-2-9
  • f5ce7c1 - sdap: add set_non_posix parameter
  • dda0f2e - sysdb: remove sysdb_computer.[ch]
  • 09dcc73 - ad: gpo evalute host groups
  • 936b828 - LDAP: make groups_by_user_send/recv public