Trusted domain user logins succeed after using ipa trustdomain-disable

[pbrezina]

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/4078

• Created at 2019-09-05 11:58:58 by sbose
• Closed at 2019-09-26 10:43:39 as Fixed
• Assigned to sbose

---

Ticket was cloned from Red Hat Bugzilla: Bug 1530741

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
I am unsure if this is a IPA, SSSD, or documentation bug but in an IPA - AD
Trust environment disabling a trusted AD domain with 'ipa trustdomain-disable'
does not prevent trusted AD users from logging in with SSSD.

If this is expected behavior, please clarify the use of 'ipa
trustdomain-disable' for Red Hat customers. From the ipa help, it is not
exactly clear what this means - 'Disable use of IPA resources by the domain of
the trust'

Also, ideally SSSD would ignore these disabled domains to improve non-cached
lookup speed/performance of AD objects in environments with many domains.

The current behavior end-result is that customers are disabling domains they do
not need to resolve AD objects from, but it is not making any noticeable
changes  unless the trusted domains are removed completely with 'ipa
trustdomain-del'.

Version-Release number of selected component (if applicable):
IPA Server 4.5
SSSD 1.15

How reproducible:
Always

Steps to Reproduce:
1. Disable trusted AD domain with ipa trustdomain-disable
2. Restart SSSD and clear SSSD cache
3. Attempt to login with trusted AD domain user

Actual results:
Login succeeds

Expected results:
Would expect login to fail

Additional info:
This impacts customers establishing IPA - AD trusts with AD forest root
containing a large number of domains

Comments

---

Comment from sbose at 2019-09-05 11:59:00

Metadata Update from @sbose:

• Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1530741

---

Comment from sbose at 2019-09-05 11:59:19

Metadata Update from @sbose:

• Issue assigned to sbose

---

Comment from sbose at 2019-09-13 10:50:41

PR: SSSD/sssd#884

---

Comment from sbose at 2019-09-13 10:50:59

Metadata Update from @sbose:

• Custom field patch adjusted to on

---

Comment from sbose at 2019-09-20 10:29:14

Commit fa3e53bb relates to this ticket

---

Comment from sbose at 2019-09-20 10:29:15

Commit b12e7a49 relates to this ticket

---

Comment from sbose at 2019-09-20 10:29:15

Commit 13297b8a relates to this ticket

---

Comment from sbose at 2019-09-20 10:29:15

Commit 3c871a3f relates to this ticket

---

Comment from sbose at 2019-09-20 10:29:16

Commit 2e161487 relates to this ticket

---

Comment from sbose at 2019-09-20 10:30:40

• master
  • fa3e53bb9ad18358989d625af4a0d8cbeb428458 - ipa: delete content of disabled domains
  • b12e7a495408635016a2ebf645448a630222d1be - sysdb: add sysdb_subdomain_content_delete()
  • 13297b8aa1486d3a5b18c69c0a81f1802d9bb131 - ipa: ignore objects from disabled domains on the client
  • 3c871a3f707733845e040a0043a5105f975f2fba - ipa: support disabled domains
  • 2e1614870cbbedfea783c11648307d0f91ceb1cc - utils: extend some find_domain_* calls to search disabled domain
• sssd-1-16
  • 124957a91db25736ce8ea82852db65d8fa243e58 - ipa: delete content of disabled domains
  • a9f03f01b95031f748fdb968ae9c16b9c3d6ed21 - sysdb: add sysdb_subdomain_content_delete()
  • cc42fe7daece23c639ba8d147808f1c699d8b6ad - ipa: ignore objects from disabled domains on the client
  • 698e27d8b465d1a507554532938058e053569b1b - ipa: support disabled domains
  • 2ea937af47c529ca827bcdd307a47e2b96690d38 - utils: extend some find_domain_* calls to search disabled domain

---

Comment from sbose at 2019-09-20 10:30:40

Metadata Update from @pbrezina:

• Issue close_status updated to: Fixed
• Issue status updated to: Closed (was: Open)

---

Comment from sbose at 2019-09-20 13:27:41

Commit 13297b8 relates to this ticket

This commit introduces coverity error (compiler warning):

Error: COMPILER_WARNING:
sssd-2.2.3/src/providers/ipa/ipa_s2n_exop.c: scope_hint: In function 's2n_response_to_attrs'
sssd-2.2.3/src/providers/ipa/ipa_s2n_exop.c:665:20: warning: 'gc' may be used uninitialized in this function [-Wmaybe-uninitialized]
#     attrs->ngroups = gc;
#     ~~~~~~~~~~~~~~~^~~~
sssd-2.2.3/src/providers/ipa/ipa_s2n_exop.c:566:15: note: 'gc' was declared here
#     size_t c, gc;
#               ^~
#  663|           }
#  664|       }
#  665|->     attrs->ngroups = gc;
#  666|   
#  667|       tag = ber_peek_tag(ber, &ber_len);

---

Comment from sbose at 2019-09-20 13:27:41

Metadata Update from @atikhonov:

• Issue status updated to: Open (was: Closed)

---

Comment from sbose at 2019-09-20 13:48:45

@atikhonov, thanks, would you like to send a PR to fix this?

---

Comment from sbose at 2019-09-20 15:08:31

ok, I will.

---

Comment from sbose at 2019-09-20 16:33:17

@atikhonov, thanks, would you like to send a PR to fix this?

PR: SSSD/sssd#890

---

Comment from sbose at 2019-09-26 10:40:09

Commit 39e16cca relates to this ticket

---

Comment from sbose at 2019-09-26 10:43:39

• master
  • 39e16cca441d4a6b3affe8f27372c26ed11ac81f - providers/ipa/: add_v1_user_data() amended
• sssd-1-16
  • e294f7351b810ea9180b2e9e0cab47beab18ae25 - providers/ipa/: add_v1_user_data() amended

---

Comment from sbose at 2019-09-26 10:43:39

Metadata Update from @pbrezina:

• Issue close_status updated to: Fixed
• Issue status updated to: Closed (was: Open)