Hello all.
We encountered a situation where ID views broke authentication... or at least we think so.
The situation was as follows:
Customer insisted that they have to have a "hardened" SSH config like this: AllowGroups staff. This staff (GID 500) group was/is a local group in 100+ machines. They did this "to control who can login" despite me and a couple of my colleagues trying to tell them (sometimes with strong words attached) that FreeIPA's HBAC rules will handle this very thing but to no avail. Of course this resulted into situation where the IPA users could not login because sshd prevented it.
We came up with a solution where we would create this ID-view:
Anchor to override: res_staff
Group name: staff
GID: 500
and apply that to those 100+ clients. We didn't like the idea to abuse ID-views like this especially after the client insisted that the res_staff group should be a nested group like this:
dev-team -> res_staff + <insert a bunch of other groups>
ops-team -> res_staff + <insert a bunch of other groups>
.
.
.
(I have to admit that after seeing and hearing about this, I considered telling my bosses to outright fire this customer)
For a while everything worked but then logins started to fail. Upon examining, it turned out that id command would no longer return the full list of groups of a user and the "hardened" sshd config killed the login. After we cleared the SSSD caches and restarted SSSD, the logins would work for a while and id command would return all the groups where user belonged to.
It is also worth mentioning that this client has a fetish for nested groups so it is not uncommon to see groups 4-5 "deep" and it is a general mess.
Also: No AD trust here. Just ye olde IPA domain. The good thing is that the environment is extremely homogeneous. All the IPA servers CentOS 7.6 and the clients CentOS 7.x.
We have the logs with debug level 6 but before I'll send them for examination, I would like to ask that is there a limitation/bug in the ID-views functionality where it fails when the anchor group is nested?
Thank you.
PS. Alexander, you are awesome.