Bug 184464

Summary: security/sssd host auth doesn't work correctly
Product: Ports & Packages Reporter: Andrey <akuz84>
Component: Individual Port(s)Assignee: William Grzybowski <wg>
Status: Closed FIXED    
Severity: Affects Some People CC: feld, lukas.slebodnik, wg
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch to port security/sssd none

Description Andrey 2013-12-03 07:50:00 UTC 
Users are stored in LDAP, for example:
uid=user,ou=accounts,dc=domain,dc=com
cn: John Smith
givenName: John
sn: Smith
uid: jsmith
uid: testuser
homeDirectory: /home/testuser
mail: jsmith@dev.local
loginShell: /bin/bash
userPassword: skiped
tal@amnesiac.net
sshPublicKey: skiped
gidNumber: 20000
uidNumber: 20000
objectClass: hostObject
objectClass: inetOrgPerson
objectClass: ldapPublicKey
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
host: server3.test.com

I use sssd-1.9.6 from ports, in sssd.conf i have:
access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host
Hostname of server: server6.test.com, i expect that the user will not be able
to login via ssh to server server6.test.com ( that scheme works on RHEL 6.x ), but despite ldap_user_authorized_host = host user with record host: server3.test.com able to login to server server6.test.com

How-To-Repeat: Install, configure sssd, openldap, create user in LDAP, add to sssd.conf:
access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host
try to login to server that is not registered in the users LDAP record
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2013-12-03 07:50:07 UTC 
Maintainer of security/sssd,

Please note that PR ports/184464 has just been submitted.

If it contains a patch for an upgrade, an enhancement or a bug fix
you agree on, reply to this email stating that you approve the patch
and a committer will take care of it.

The full text of the PR can be found at:
    http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/184464

-- 
Edwin Groothuis via the GNATS Auto Assign Tool
edwin@FreeBSD.org
Comment 2 Edwin Groothuis freebsd_committer freebsd_triage 2013-12-03 07:50:08 UTC 
State Changed
From-To: open->feedback

Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Comment 3 lukas.slebodnik 2014-06-04 19:30:59 UTC 
Created attachment 143375 [details]
patch to port security/sssd

The issue was discussed with reporter off the bug tracker.                      
The first part of problem was in pam configuration and the second part of       
problem was in pam_sss, because there are differences between openpam and linux-pam. This ticket is related to another one.                  
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=186545                        
                                                                                
Attached patch add argument to pam_sss ignore_authinfo_unavail,                 
it is necessary for successful login of local user if sssd is stopped.
Comment 4 Mark Felder freebsd_committer freebsd_triage 2014-06-12 12:19:52 UTC 
taking bug
Comment 5 commit-hook freebsd_committer freebsd_triage 2014-06-12 14:35:46 UTC 
A commit references this bug:

Author: wg
Date: Thu Jun 12 14:35:02 UTC 2014
New revision: 357602
URL: http://svnweb.freebsd.org/changeset/ports/357602

Log:
  security/sssd: pam fixes

  PR:		184464
  Submitted by:	maintainer

Changes:
  head/security/sssd/Makefile
  head/security/sssd/files/patch-src__man__pam_sss.8.xml
  head/security/sssd/files/patch-src__sss_client__pam_sss.c