Bug 1254184

Summary: sss_override does not work correctly when 'use_fully_qualified_names = True'
Product: Red Hat Enterprise Linux 7 Reporter: Dan Lavu <dlavu>
Component: sssdAssignee: Pavel Březina <pbrezina>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.2CC: grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mzidek, nsoman, pbrezina, preichl
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.13.0-24.el7 Doc Type: Bug Fix
Doc Text:
Cause: Domain has use_fully_qualified_names set to true and then sss_override tool is unable to find user or group. Consequence: Local overrides can not be created. Fix: sss_override correctly finds user and groups even when fully qualified name is required. Result: Local overrides can be created.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 11:39:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dan Lavu 2015-08-17 11:45:01 UTC 
Description of problem:

sss_override does not work correctly when use_fully_qualified_names = True 

Version-Release number of selected component (if applicable):
sssd-tools-1.13.0-11.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
Try to add an override user when 'use_fully_qualified_names = True', for example 'sss_override user-add dlavu -n dlavu1'

Actual results:

[root@rhel72beta db]# sss_override user-add dlavu -n dlavu1 --debug 0x3ff0
(Mon Aug 17 12:25:31:014019 2015) [sssd] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
(Mon Aug 17 12:25:31:014114 2015) [sssd] [confdb_get_domain_internal] (0x0400): No enumeration for [sssd2012.com]!
(Mon Aug 17 12:25:31:014149 2015) [sssd] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1
(Mon Aug 17 12:25:31:014171 2015) [sssd] [sysdb_domain_init_internal] (0x0200): DB File for sssd2012.com: /var/lib/sss/db/cache_sssd2012.com.ldb
(Mon Aug 17 12:25:31:014223 2015) [sssd] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Mon Aug 17 12:25:31:014318 2015) [sssd] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(Mon Aug 17 12:25:31:014324 2015) [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Mon Aug 17 12:25:31:014380 2015) [sssd] [sss_parse_name_for_domains] (0x0200): name 'dlavu' matched expression for domain 'sssd2012.com', user is dlavu
Unable to find user dlavu.

Expected results:
[root@rhel72beta db]# sss_override user-add dlavu -n dlavu1 --debug 0x3ff0
(Mon Aug 17 12:22:03:866318 2015) [sssd] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
(Mon Aug 17 12:22:03:866410 2015) [sssd] [confdb_get_domain_internal] (0x0400): No enumeration for [sssd2012.com]!
(Mon Aug 17 12:22:03:866435 2015) [sssd] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1
(Mon Aug 17 12:22:03:866456 2015) [sssd] [sysdb_domain_init_internal] (0x0200): DB File for sssd2012.com: /var/lib/sss/db/cache_sssd2012.com.ldb
(Mon Aug 17 12:22:03:866504 2015) [sssd] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Mon Aug 17 12:22:03:866595 2015) [sssd] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(Mon Aug 17 12:22:03:866601 2015) [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Mon Aug 17 12:22:03:866657 2015) [sssd] [sss_parse_name_for_domains] (0x0200): name 'dlavu' matched expression for domain 'sssd2012.com', user is dlavu
(Mon Aug 17 12:22:03:883083 2015) [sssd] [get_object_dn_and_domain] (0x0400): Trying to find user dlavu
(Mon Aug 17 12:22:03:883168 2015) [sssd] [get_object_dn_and_domain] (0x0400): Domain of user dlavu is sssd2012.com
(Mon Aug 17 12:22:03:883186 2015) [sssd] [prepare_view] (0x0400): Creating LOCAL view.
SSSD needs to be restarted for the changes to take effect.

Additional info:
Comment 2 Jakub Hrozek 2015-08-17 12:39:50 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2757
Comment 3 Jakub Hrozek 2015-08-19 22:11:19 UTC 
Patch acked upstream, acking for RHEL
Comment 4 Jakub Hrozek 2015-08-20 20:42:10 UTC 
* master: 7eba58cfcf78e61af1c4ff98619aa97223eb7a5b
Comment 6 Dan Lavu 2015-09-02 17:15:52 UTC 
This is working in sssd-client-1.13.0-24.el7.x86_64 , however the override id doesn't return using getent.

[root@rhel72 ~]# sss_override user-add dlavu  -n dlavu1 
SSSD needs to be restarted for the changes to take effect.

[root@rhel72 ~]# service sssd restart
Redirecting to /bin/systemctl restart  sssd.service

[root@rhel72 ~]# getent passwd dlavu1

[root@rhel72 ~]# getent passwd dlavu1

[root@rhel72 ~]# getent passwd dlavu
dlavu1@sssd2012.com:*:349001105:349000513:Dan Lavu:/home/dlavu1:/bin/bash
Comment 7 Jakub Hrozek 2015-09-02 19:14:01 UTC 
I would suggest to try looking at the logs if dlavu1 was maybe already negatively cached from previous test runs. If not, then please file a new bug.

Thank you very much for testing!
Comment 8 Dan Lavu 2015-09-02 20:34:03 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=1259512 - Filed.
Comment 9 Dan Lavu 2015-09-21 10:13:36 UTC 
Verified, testing against sssd-1.13.0-26.el7.x86_64.

####################################

[root@test ~]# sss_override user-add -n dlavu1 dlavu
SSSD needs to be restarted for the changes to take effect.

[root@test ~]# service sssd restart

####################################

[sssd]
domains = sssd2012.com
config_file_version = 2
services = nss, pam

[domain/sssd2012.com]
ad_domain = sssd2012.com
krb5_realm = SSSD2012.COM
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

####################################
Comment 10 errata-xmlrpc 2015-11-19 11:39:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html