Package: sssd
Version: 1.15.0-3
Severity: important
Using AD as id provider, sssd behaves strange on AD attribute 'mail'.
There are two user. If one of them has AD attribute 'mail' set the same like
'userPrincipalName' of
the other user, sssd mixes up these users.
dn: CN=testuser1,OU=Users,DC=domain,DC=tld
name: testuser1
userPrincipalName: testus...@domain.tld
dn: CN=testuser2,OU=Users,DC=domain,DC=tld
name: testuser2
userPrincipalName: testus...@domain.tld
mail: testus...@domain.tld
# no probles here:
service sssd stop ; rm /var/lib/sss/db/*DOMAIN* ; service sssd start
id testuser1
uid=30875(testuser1) gid=10513(domänen-benutzer)
groups=10513(domänen-benutzer),30882(testgrp)
id testuser2
uid=30876(testuser2) gid=10513(domänen-benutzer)
groups=10513(domänen-benutzer),30882(testgrp)
getent group testgrp
testgrp:*:30882:testuser1,testuser2
# here the trouble starts:
sss_cache -E
id testuser1
id: ‘testuser1’: no such user
id testuser2
uid=30876(testuser2) gid=10513(domänen-benutzer)
groups=10513(domänen-benutzer),30882(testgrp)
# changing order returns UID/groups of 'testuser2' also for 'testuser1'
service sssd stop ; rm /var/lib/sss/db/*DOMAIN* ; service sssd start
id testuser2
uid=30876(testuser2) gid=10513(domänen-benutzer)
groups=10513(domänen-benutzer),30882(testgrp)
id testuser1
uid=30876(testuser2) gid=10513(domänen-benutzer)
groups=10513(domänen-benutzer),30882(testgrp)
getent group testgrp
testgrp:*:30882:testuser2,testuser1
As far as I can tell, this has no obvious security implications, i.e. it's not
possible to login
to users 'testuser2' account with password of 'testuser1'.
This issue can be solved by mapping users email address to a nonexisting AD
attribute.
('ldap_user_email = not_in_use' in sssd.conf)
# content of /etc/sss/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = DOMAIN.TLD
[domain/DOMAIN.TLD]
id_provider = ad
access_provider = ad
ldap_id_mapping = true
ldap_schema = ad
ldap_group_nesting_level = 5
min_id = 10000
ldap_idmap_range_min = 10000
ldap_idmap_range_size = 50000
# specifying domain SID disables id mapping hash algorithm
ldap_idmap_default_domain_sid = S-1-5-21-xxxxxxxxxxxxxxxxxxxxxxxxxxxx
ldap_idmap_default_domain = domain.tld
override_homedir = /home/%u
override_shell = /usr/bin/tcsh
ldap_user_fullname = displayName
# Enumeration is discouraged for performance reasons.
enumerate = false
ldap_referrals = false
ignore_group_members = false
debug_level = 1
-- System Information:
Debian Release: 9.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sssd depends on:
ii python-sss 1.15.0-3
ii sssd-ad 1.15.0-3
ii sssd-common 1.15.0-3
ii sssd-ipa 1.15.0-3
ii sssd-krb5 1.15.0-3
ii sssd-ldap 1.15.0-3
ii sssd-proxy 1.15.0-3
sssd recommends no packages.
sssd suggests no packages.
-- no debconf information
--
Mit freundlichen Grüßen - Best Regards
Christian Schöniger
Dipl.-Ing. (BA)
Systembetreuung
FES GmbH Fahrzeug-Entwicklung Sachsen / Auto-Entwicklungsring Sachsen GmbH
Crimmitschauer Straße 59, 08058 Zwickau
Tel.: +49 375 5660 254
Fax : +49 375 5660 92254
mailto:c...@fes-aes.de
http://www.fes-aes.de
* FES GmbH Fahrzeug-Entwicklung Sachsen
USt.-Id. Nr.: DE 141379336
Registergericht: Amtsgericht Chemnitz, Registernummer: HRB 4499
Geschaeftsfuehrer: Christian Schwamberger (Vorsitzender), Ronny Tolliszus,
Frank Weidenmueller
* Auto-Entwicklungsring Sachsen GmbH
USt.-Id. Nr.: DE 188743030
Registergericht: Amtsgericht Chemnitz, Registernummer: HRB 14770
Geschaeftsfuehrer: Christian Schwamberger (Vorsitzender), Ronny Tolliszus,
Frank Weidenmueller
