search

SSSD / sssd

A daemon to manage identity, authentication and authorization for centrally-managed systems.
https://sssd.io
GNU General Public License v3.0
586 stars 236 forks source link

Support ID overrides in subid lookups #7386

Open abbra opened 3 months ago

abbra commented 3 months ago

I am experimenting with subid support for trusted users in FreeIPA. I extended FreeIPA to allow auto-generation of subids for ID overrides in the 'Default Trust View' ID view. The override looks like this where ipaowner value is the DN of the ID override entry for this trusted user:

# 832da9d3-5fa1-443c-8f41-840562b9ded3, subids, accounts, ipa1.test
dn: ipauniqueid=832da9d3-5fa1-443c-8f41-840562b9ded3,cn=subids,cn=accounts,dc=ipa1,dc=test
ipaUniqueID: 832da9d3-5fa1-443c-8f41-840562b9ded3
description: auto-assigned subid
ipaOwner: ipaanchoruuid=:SID:S-1-5-21-1340487387-616387851-223273923-500,cn=default trust view,cn=views,cn=accounts,dc=ipa1,dc=test
objectClass: ipasubordinateidentry
objectClass: ipasubordinateuid
objectClass: ipasubordinateid
objectClass: ipasubordinategid
objectClass: top
ipaSubUidCount: 65536
ipaSubGidCount: 65536
ipaSubUidNumber: 2147483648
ipaSubGidNumber: 2147483648

However, SSSD is unable to find this subid entry because it searches for ID overrides are not supported:

(2024-05-17  7:57:30): [be[ipa1.test]] [sdap_get_generic_ext_step] (0x0400): [RID#36] calling ldap_search_ext with [(&(objectClass=ipasubordinateid)(ipaOwner=uid=1314800000,cn=users,cn=accounts,dc=ipa1,dc=test))][cn=subids,cn=accounts,dc=ipa1,dc=test].
(2024-05-17  7:57:30): [be[ipa1.test]] [sdap_get_generic_ext_step] (0x1000): [RID#36] Requesting attrs: [objectClass]
(2024-05-17  7:57:30): [be[ipa1.test]] [sdap_get_generic_ext_step] (0x1000): [RID#36] Requesting attrs: [ipaSubUidCount]
(2024-05-17  7:57:30): [be[ipa1.test]] [sdap_get_generic_ext_step] (0x1000): [RID#36] Requesting attrs: [ipaSubGidCount]
(2024-05-17  7:57:30): [be[ipa1.test]] [sdap_get_generic_ext_step] (0x1000): [RID#36] Requesting attrs: [ipaSubUidNumber]
(2024-05-17  7:57:30): [be[ipa1.test]] [sdap_get_generic_ext_step] (0x1000): [RID#36] Requesting attrs: [ipaSubGidNumber]
(2024-05-17  7:57:30): [be[ipa1.test]] [sdap_get_generic_ext_step] (0x1000): [RID#36] Requesting attrs: [ipaOwner]
(2024-05-17  7:57:30): [be[ipa1.test]] [sdap_get_generic_ext_step] (0x2000): [RID#36] ldap_search_ext called, msgid = 30
(2024-05-17  7:57:30): [be[ipa1.test]] [sdap_op_add] (0x2000): [RID#36] New operation 30 timeout 6
(2024-05-17  7:57:30): [be[ipa1.test]] [sdap_process_result] (0x2000): Trace: sh[0x55c40f5691e0], connected[1], ops[0x55c40f5abeb0], ldap[0x55c40f501f60]
(2024-05-17  7:57:30): [be[ipa1.test]] [sdap_process_message] (0x4000): [RID#36] Message type: [LDAP_RES_SEARCH_RESULT]
(2024-05-17  7:57:30): [be[ipa1.test]] [sdap_call_op_callback] (0x20000): [RID#36] Handling LDAP operation [30][server: [10.0.192.214:389] filter: [(&(objectClass=ipasubordinateid)(ipaOwner=uid=1314800000,cn=users,cn=accounts,dc=ipa1,dc=test))] base: [cn=subids,cn=accounts,dc=ipa1,dc=test]] took [0.585] milliseconds.
(2024-05-17  7:57:30): [be[ipa1.test]] [sdap_get_generic_op_finished] (0x0400): [RID#36] Search result: Success(0), no errmsg set
(2024-05-17  7:57:30): [be[ipa1.test]] [sdap_op_destructor] (0x2000): [RID#36] Operation 30 finished
(2024-05-17  7:57:30): [be[ipa1.test]] [sdap_search_bases_ex_done] (0x0400): [RID#36] Receiving data from base [cn=subids,cn=accounts,dc=ipa1,dc=test]
(2024-05-17  7:57:30): [be[ipa1.test]] [sdap_id_op_done] (0x4000): [RID#36] releasing operation connection
(2024-05-17  7:57:30): [be[ipa1.test]] [sdap_id_conn_data_idle] (0x4000): [RID#36] Marking connection as idle
(2024-05-17  7:57:30): [be[ipa1.test]] [subid_ranges_get_done] (0x0080): [RID#36] No such user '1314800000' or user doesn't have subid range
(2024-05-17  7:57:30): [be[ipa1.test]] [sysdb_delete_subid_range] (0x0400): [RID#36] Deleting subid ranges for 1314800000
(2024-05-17  7:57:30): [be[ipa1.test]] [ipa_id_get_account_info_orig_done] (0x0200): [RID#36] Object not overridable, ending request

Please add support to allow ID override-based owner searches as well for subids.

abbra commented 3 months ago

If you want to test, you may try this branch: https://github.com/abbra/freeipa/tree/trusted-users-subids

# ipa idoverrideuser-add '' administrator@ad.test

# ipa group-add --external 'subid-permission-users'
------------------------------------
Added group "subid-permission-users"
------------------------------------
  Group name: subid-permission-users
# ipa group-add-member  'subid-permission-users' --idoverrideuser administrator@ad.test
  Group name: subid-permission-users
  Member ID user overrides: administrator@ad.test
-------------------------
Number of members added 1
-------------------------
# ipa role-add-member 'Subordinate ID Selfservice User' --groups 'subid-permission-users'
  Role name: Subordinate ID Selfservice User
  Description: User that can self-request subordinate ids
  Member groups: subid-permission-users
  Privileges: Subordinate ID Selfservice Users
-------------------------
Number of members added 1
-------------------------

# ipa idoverrideuser-show --all --raw '' administrator@ad.test
  dn: ipaanchoruuid=:SID:S-1-5-21-1340487387-616387851-223273923-500,cn=default trust view,cn=views,cn=accounts,dc=ipa1,dc=test
  ipaanchoruuid: :SID:S-1-5-21-1340487387-616387851-223273923-500
  ipaoriginaluid: administrator@ad.test
  memberof: cn=subid-permission-users,cn=groups,cn=accounts,dc=ipa1,dc=test
  memberofindirect: cn=Self-service subordinate ID,cn=permissions,cn=pbac,dc=ipa1,dc=test
  memberofindirect: cn=Subordinate ID Selfservice Users,cn=privileges,cn=pbac,dc=ipa1,dc=test
  memberofindirect: cn=Subordinate ID Selfservice User,cn=roles,cn=accounts,dc=ipa1,dc=test
  objectClass: ipaOverrideAnchor
  objectClass: top
  objectClass: ipaUserOverride
  objectClass: ipasshuser
  objectClass: ipaSshGroupOfPubKeys
  objectClass: nsmemberof

# kinit administrator@AD.TEST
Password for administrator@AD.TEST: 

# ipa subid-generate 
-----------------------------------------------------------
Added subordinate id "832da9d3-5fa1-443c-8f41-840562b9ded3"
-----------------------------------------------------------
  Unique ID: 832da9d3-5fa1-443c-8f41-840562b9ded3
  Description: auto-assigned subid
  Owner: ipaanchoruuid=:SID:S-1-5-21-1340487387-616387851-223273923-500,cn=default trust view,cn=views,cn=accounts,dc=ipa1,dc=test
  SubUID range start: 2147483648
  SubUID range size: 65536
  SubGID range start: 2147483648
  SubGID range size: 65536

# authselect enable-feature with-subid
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

# ssh -l administrator@ad.test `hostname -f`
Last login: Fri May 17 07:52:53 2024 from 10.0.192.214
[administrator@ad.test@master1 ~]$ podman run -it -v $(pwd):$(pwd):Z fedora:40 /bin/bash
ERRO[0000] cannot find UID/GID for user administrator@ad.test: cannot read subids - check rootless mode in man pages. 
WARN[0000] Using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding sub*ids if not using a network user 
Resolved "fedora" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull registry.fedoraproject.org/fedora:40...
Getting image source signatures
Copying blob a255c2d1d95b done   | 
Error: copying system image from manifest list: writing blob: adding layer with blob "sha256:a255c2d1d95b935143524f6c15cdfc524353bfba8b7cf7fb8a1d4a30243ade04": processing tar file(potentially insufficient UIDs or GIDs available in user namespace (requested 0:12 for /var/spool/mail): Check /etc/subuid and /etc/subgid if configured locally and run "podman system migrate": lchown /var/spool/mail: invalid argument): exit status 1