[Pkg-sssd-devel] Bug#913897: sssd: depending on mail attribute in AD, user is not resolvable or overwritten by other user

Christian Schöniger christian.schoeniger at fes-aes.de
Fri Nov 16 16:51:10 GMT 2018 

Package: sssd
Version: 1.15.0-3
Severity: important

Using AD as id provider, sssd behaves strange on AD attribute 'mail'.

There are two user. If one of them has AD attribute 'mail' set the same like 'userPrincipalName' of
the other user, sssd mixes up these users.

dn: CN=testuser1,OU=Users,DC=domain,DC=tld
name: testuser1
userPrincipalName: testuser1 at domain.tld

dn: CN=testuser2,OU=Users,DC=domain,DC=tld
name: testuser2
userPrincipalName: testuser2 at domain.tld
mail: testuser1 at domain.tld

# no probles here:
service sssd stop ; rm /var/lib/sss/db/*DOMAIN* ; service sssd start
id testuser1
uid=30875(testuser1) gid=10513(domänen-benutzer) groups=10513(domänen-benutzer),30882(testgrp)
id testuser2
uid=30876(testuser2) gid=10513(domänen-benutzer) groups=10513(domänen-benutzer),30882(testgrp)
getent group testgrp
testgrp:*:30882:testuser1,testuser2

# here the trouble starts:
sss_cache -E
id testuser1
id: ‘testuser1’: no such user
id testuser2
uid=30876(testuser2) gid=10513(domänen-benutzer) groups=10513(domänen-benutzer),30882(testgrp)

# changing order returns UID/groups of 'testuser2' also for 'testuser1'
service sssd stop ; rm /var/lib/sss/db/*DOMAIN* ; service sssd start
id testuser2
uid=30876(testuser2) gid=10513(domänen-benutzer) groups=10513(domänen-benutzer),30882(testgrp)
id testuser1
uid=30876(testuser2) gid=10513(domänen-benutzer) groups=10513(domänen-benutzer),30882(testgrp)
getent group testgrp
testgrp:*:30882:testuser2,testuser1

As far as I can tell, this has no obvious security implications, i.e. it's not possible to login
to users 'testuser2' account with password of 'testuser1'.

This issue can be solved by mapping users email address to a nonexisting AD attribute.
('ldap_user_email = not_in_use' in sssd.conf)


# content of /etc/sss/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = DOMAIN.TLD

[domain/DOMAIN.TLD]
id_provider     = ad
access_provider = ad
ldap_id_mapping = true
ldap_schema = ad
ldap_group_nesting_level = 5

min_id                = 10000
ldap_idmap_range_min  = 10000
ldap_idmap_range_size = 50000

# specifying domain SID disables id mapping hash algorithm
ldap_idmap_default_domain_sid = S-1-5-21-xxxxxxxxxxxxxxxxxxxxxxxxxxxx
ldap_idmap_default_domain     = domain.tld

override_homedir = /home/%u
override_shell = /usr/bin/tcsh
ldap_user_fullname = displayName

# Enumeration is discouraged for performance reasons.
enumerate = false
ldap_referrals = false
ignore_group_members = false

debug_level = 1


-- System Information:
Debian Release: 9.6
   APT prefers stable-updates
   APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sssd depends on:
ii  python-sss   1.15.0-3
ii  sssd-ad      1.15.0-3
ii  sssd-common  1.15.0-3
ii  sssd-ipa     1.15.0-3
ii  sssd-krb5    1.15.0-3
ii  sssd-ldap    1.15.0-3
ii  sssd-proxy   1.15.0-3

sssd recommends no packages.

sssd suggests no packages.

-- no debconf information


-- 
Mit freundlichen Grüßen - Best Regards

Christian Schöniger
Dipl.-Ing. (BA)
Systembetreuung
FES GmbH Fahrzeug-Entwicklung Sachsen / Auto-Entwicklungsring Sachsen GmbH
Crimmitschauer Straße 59, 08058 Zwickau

Tel.: +49 375 5660 254
Fax : +49 375 5660 92254
mailto:csc at fes-aes.de
http://www.fes-aes.de

* FES GmbH Fahrzeug-Entwicklung Sachsen
  USt.-Id. Nr.:      DE 141379336
  Registergericht:   Amtsgericht Chemnitz, Registernummer: HRB 4499
  Geschaeftsfuehrer: Christian Schwamberger (Vorsitzender), Ronny Tolliszus, Frank Weidenmueller

* Auto-Entwicklungsring Sachsen GmbH
  USt.-Id. Nr.:      DE 188743030
  Registergericht:   Amtsgericht Chemnitz, Registernummer: HRB 14770
  Geschaeftsfuehrer: Christian Schwamberger (Vorsitzender), Ronny Tolliszus, Frank Weidenmueller

More information about the Pkg-sssd-devel mailing list