URL: https://github.com/SSSD/sssd/pull/5881
Author: scabrero
Title: #5881: SDAP: Do not fail ASQ search when parsing a referenced entry fails
Action: opened
PR body:
"""
In an attribute scoped query it may happen sssd doen't have permissions to
read the attribute referenced entry, for example when it is located under a
restricted LDAP sub-tree for security reasons.
In this scenario sssd fails to resolve the group because the referenced
entry can't be parsed and this can lead to missing groups and breaks using
the group in simple access provider.
This patch changes the ASQ entry parser to do not return an error when
it is not possible to parse an entry.
The issue can be replicated deploying this AD setup:
CN=users,DC=aforest,DC=ad
CN=g1,CN=users,DC=aforest,DC=ad
member: CN=g2,CN=users,DC=aforest,DC=ad
member: CN=g3,CN=users,DC=aforest,DC=ad
member: CN=g4,CN=users,DC=aforest,DC=ad
member: CN=g5,CN=users,DC=aforest,DC=ad
member: CN=user1,CN=users,DC=aforest,DC=ad
CN=g2,CN=users,DC=aforest,DC=ad
member: CN=g3,CN=users,DC=aforest,DC=ad
member: CN=g4,CN=users,DC=aforest,DC=ad
member: CN=g5,CN=users,DC=aforest,DC=ad
member: CN=user2,CN=users,DC=aforest,DC=ad
memberOf: CN=g1,CN=users,DC=aforest,DC=ad
CN=g3,CN=users,DC=aforest,DC=ad <-- Deny access to sssd account
member: CN=g4,CN=users,DC=aforest,DC=ad
member: CN=g5,CN=users,DC=aforest,DC=ad
member: CN=user3,CN=users,DC=aforest,DC=ad
memberOf: CN=g2,CN=users,DC=aforest,DC=ad
memberOf: CN=g1,CN=users,DC=aforest,DC=ad
CN=g4,CN=users,DC=aforest,DC=ad
member: CN=g5,CN=users,DC=aforest,DC=ad
member: CN=user5,CN=users,DC=aforest,DC=ad
memberOf: CN=g3,CN=users,DC=aforest,DC=ad
memberOf: CN=g2,CN=users,DC=aforest,DC=ad
memberOf: CN=g1,CN=users,DC=aforest,DC=ad
CN=g5,CN=users,DC=aforest,DC=ad
member: CN=user5,CN=users,DC=aforest,DC=ad
memberOf: CN=g4,CN=users,DC=aforest,DC=ad
memberOf: CN=g3,CN=users,DC=aforest,DC=ad
memberOf: CN=g2,CN=users,DC=aforest,DC=ad
memberOf: CN=g1,CN=users,DC=aforest,DC=ad
CN=user1,CN=users,DC=aforest,DC=ad
memberOf: CN=g1,CN=users,DC=aforest,DC=ad
CN=user2,CN=users,DC=aforest,DC=ad
memberOf: CN=g2,CN=users,DC=aforest,DC=ad
CN=user3,CN=users,DC=aforest,DC=ad
memberOf: CN=g3,CN=users,DC=aforest,DC=ad
CN=user4,CN=users,DC=aforest,DC=ad
memberOf: CN=g4,CN=users,DC=aforest,DC=ad
CN=user5,CN=users,DC=aforest,DC=ad
memberOf: CN=g5,CN=users,DC=aforest,DC=ad
And using this sssd.conf
-------------------------------------------------------------------------------
[sssd]
config_file_version = 2
services = nss, pam
domains = aforest.ad
[nss]
[pam]
[domain/aforest.ad]
auth_provider = ad
id_provider = ad
access_provider = simple
simple_allow_groups = g1
ldap_deref_threshold = 1
debug_level = 10
-------------------------------------------------------------------------------
In this setup sssd can't resolve group 'g1' because it fails parsing one
of the referenced members, 'g3':
$> getent group g1
No output.
$> id user5
uid=1862001108(user5) gid=1862000513(domain users) groups=1862000513(domain users),1862001111,1862001109(s-1-5-21-3230380732-2157500517-2047582823-1109),1862001113(g5),1862001110(s-1-5-21-3230380732-2157500517-2047582823-1110),1862001112(g4)
When the group is used to filter access it does not work:
...
[simple_access_check_send] (0x0200): [RID#7] Simple access check for user1(a)aforest.ad
...
[simple_check_get_groups_send] (0x0400): [RID#7] Need to resolve 3 groups
[sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [(&(objectSID=S-1-5-21-3230380732-2157500517-2047582823-1109)(objectClass=group)(sAMAccountName=*))][DC=aforest,DC=ad].
...
[sdap_nested_group_hash_insert] (0x4000): [RID#8] Inserting [CN=g1,CN=Users,DC=aforest,DC=ad] into hash table [groups]
[sdap_nested_group_process_send] (0x2000): [RID#8] About to process group [CN=g1,CN=Users,DC=aforest,DC=ad]
...
[sdap_nested_group_process_send] (0x0400): [RID#8] More members were missing than the deref threshold
[sdap_nested_group_process_send] (0x2000): [RID#8] Looking up 2/5 members of group [CN=g1,CN=Users,DC=aforest,DC=ad]
[sdap_nested_group_process_send] (0x2000): [RID#8] Dereferencing members of group [CN=g1,CN=Users,DC=aforest,DC=ad]
[sdap_deref_search_send] (0x2000): [RID#8] Server supports ASQ
[sdap_asq_search_send] (0x0400): [RID#8] Dereferencing entry [CN=g1,CN=Users,DC=aforest,DC=ad] using ASQ
...
[sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [no filter][CN=g1,CN=Users,DC=aforest,DC=ad].
...
[sdap_process_message] (0x4000): [RID#8] Message type: [LDAP_RES_SEARCH_ENTRY]
[sdap_asq_search_parse_entry] (0x0040): [RID#8] Unknown entry type, no objectClass found for DN [CN=g3,CN=Users,DC=aforest,DC=ad]!
[sdap_get_generic_op_finished] (0x0020): [RID#8] reply parsing callback failed.
[sdap_op_destructor] (0x1000): [RID#8] Abandoning operation 3
[generic_ext_search_handler] (0x0020): [RID#8] sdap_get_generic_ext_recv request failed: [22]: Invalid argument
[sdap_deref_search_done] (0x0040): [RID#8] dereference processing failed [22]: Invalid argument
[sdap_nested_group_deref_direct_done] (0x0020): [RID#8] Error processing direct membership [22]: Invalid argument
[sdap_nested_done] (0x0020): [RID#8] Nested group processing failed: [22][Invalid argument]
...
[simple_resolve_group_done] (0x0080): [RID#8] Cannot refresh data from DP: 3,0: Group lookup failed
...
[simple_check_get_groups_next] (0x2000): [RID#9] All groups resolved. Done.
[simple_access_check_done] (0x0040): [RID#9] Could not collect groups of user user1(a)aforest.ad
[simple_access_check_done] (0x0400): [RID#9] But no deny groups were defined so we can continue.
[simple_check_groups] (0x4000): [RID#9] Checking against allow list group name [g1(a)aforest.ad]
[simple_access_check_done] (0x2000): [RID#9] Group check done
[simple_access_check_recv] (0x1000): [RID#9] Access not granted
...
Resolves: https://github.com/SSSD/sssd/issues/4893
Signed-off-by: Samuel Cabrero <scabrero(a)suse.de>
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5881/head:pr5881
git checkout pr5881
URL: https://github.com/SSSD/sssd/pull/5674
Author: ikerexxe
Title: #5674: [WIP] This is just a test
Action: opened
PR body:
"""
This is just a test for Deepak's latest PR, which fails in CI.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5674/head:pr5674
git checkout pr5674
URL: https://github.com/SSSD/sssd/pull/5830
Author: aborah-sudo
Title: #5830: Tests: Port the old ns_account_lock.sh script to pytest
Action: opened
PR body:
"""
Port the old ns_account_lock.sh script to pytest
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5830/head:pr5830
git checkout pr5830
URL: https://github.com/SSSD/sssd/pull/5786
Author: jakub-vavra-cz
Title: #5786: Tests: [SSSD-3579]: Skip test test_0018_bz1734040.
Action: opened
PR body:
"""
The test does not work even with fixes for RHEL-9,
skipping for now so it is not blocking RHEL-9 gating,
until proper fix is found.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5786/head:pr5786
git checkout pr5786
URL: https://github.com/SSSD/sssd/pull/5863
Author: justin-stephenson
Title: #5863: Responder and Child process tevent chain id improvements
Action: opened
PR body:
"""
This PR adds the following tevent chain ID functionality:
* Add tevent chain ID logic into responders (log messages with tag [CID #])
* Add ability to parse child log files by passing the backend request ID into child processes and setting the chain ID inside the child.
sss_chain_id getter/setter functions moved into their own source file (remove dependency to tevent), and some small changes to analyzer are needed.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5863/head:pr5863
git checkout pr5863
URL: https://github.com/SSSD/sssd/pull/5845
Author: stanislavlevin
Title: #5845: sss-analyze: Fix self imports
Action: opened
PR body:
"""
- fixed self imports to allow any other Python stuff use `sssd`
Python package
- `sssd` Python package tranformed from namespace to regular one
- moved the executable out to sbin directory to split the library and
actual executable (sbin because of only root can read sssd logs)
Resolves: https://github.com/SSSD/sssd/issues/5842
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5845/head:pr5845
git checkout pr5845
URL: https://github.com/SSSD/sssd/pull/5894
Author: ikerexxe
Title: #5894: contrib: sssd krb5 configuration snippet
Action: opened
PR body:
"""
Add a configuration snippet for krb5 that points to the folder where the
sssd configuration for this service is located.
Resolves: https://github.com/SSSD/sssd/issues/5893
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5894/head:pr5894
git checkout pr5894
URL: https://github.com/SSSD/sssd/pull/5867
Author: ikerexxe
Title: #5867: usertools: force local user for sssd process user
Action: opened
PR body:
"""
System hardening by forcing the sssd user to be loaded from a local database (/etc/passwd) instead of using any remote user. This could happen in very special conditions and might change the owner of the sssd databases and generate a denial of service.
Moreover, clarify user option in sssd.conf, as it accepts both the user name and the id as input. The only constraint is that the user should be present in the local database (/etc/passwd).
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5867/head:pr5867
git checkout pr5867