Bug 1309745

Summary: Support multiple principals for IPA users
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Steeve Goveas <sgoveas>
Severity: unspecified Docs Contact: Aneta Šteflová Petrová <apetrova>
Priority: unspecified    
Version: 7.3CC: grajaiya, jhrozek, ksiddiqu, lslebodn, mkosek, mzidek, pbrezina, sbose, xdong
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.14.0-14.el7 Doc Type: Enhancement
Doc Text:
See Doc Text for BZ#1328552
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 07:16:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Hrozek 2016-02-18 15:25:00 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2958

This is SSSD part of FreeIPA ticket #5413. When IPA allows multiple principals, we will need to store multi-valued UPN attribute and pick the right one.

The use-cases are supporting a legal name change and supporting authentication by e-mail address.
Comment 1 Jakub Hrozek 2016-07-29 13:10:08 UTC 
* master:
    * 0d5d490fb5ec685fd8ef7a75e612e6ec7ef6bde3
    * 83a796ec8de4bde65b11cc8032675406950641fa
    * 78677495a7762469002b0976809fa20ac2196f42
    * ba9ebfc49ab3bacb96213c8620411128c09f39da
    * 91767924bdf9b5a28e8902206a40348d6c83a139
    * 04d4c4d45f3942a813b7f772737f801f877f4e64
    * 9a310913d696d190db14c625080678db853a33fd
    * 447b1da857368678990b54cd6b9cfed940357c44
    * 3381d9736b698d6111d10e219a0b5b898a4c757c
    * 62df78512145db94b51c5573d4df1737197e368a
    * 9b8fcf685c5ca70a5067a621385bcdc8d9fd6469
    * 15694ca762f61a414f0017c57ed97a8d57456b80
    * 50a7a92f92e1584702bf25e61a50cb1c09c7e260
Comment 3 Jakub Hrozek 2016-09-11 19:58:22 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2856
Comment 4 Xiyang Dong 2016-09-21 13:02:50 UTC 
Verified on sssd-1.14.0-41.el7:
# ipa user-add tuser --first test --last user --password
Password: 
Enter Password again to verify: 
------------------
Added user "tuser"
------------------
  User login: tuser
  First name: test
  Last name: user
  Full name: test user
  Display name: test user
  Initials: tu
  Home directory: /home/tuser
  GECOS: test user
  Login shell: /bin/sh
  Principal name: tuser@TESTRELM
  Principal alias: tuser@TESTRELM
  Email address: tuser
  UID: 1669000001
  GID: 1669000001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
# kinit tuser
Password for tuser@TESTRELM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

# kinit admin
Password for admin@TESTRELM: 
# ipa user-add-principal tuser talias talias\\@ent.test
---------------------------------
Added new aliases to user "tuser"
---------------------------------
  User login: tuser
  Principal alias: talias@TESTRELM, talias\@ent.test@TESTRELM, tuser@TESTRELM
# kinit talias 
Password for talias@TESTRELM: 
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_5ks0oe9
Default principal: tuser@TESTRELM

Valid starting       Expires              Service principal
08/21/2016 23:38:33  08/22/2016 23:38:30  krbtgt/TESTRELM@TESTRELM

# kinit -C talias
Password for talias@TESTRELM: 
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_OhZfJlN
Default principal: tuser@TESTRELM

Valid starting       Expires              Service principal
08/21/2016 23:39:00  08/22/2016 23:38:54  krbtgt/TESTRELM@TESTRELM

# kinit talias\\@ent.test
Password for talias\@ent.test@TESTRELM: 
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_2HXMy3a
Default principal: tuser@TESTRELM

Valid starting       Expires              Service principal
08/21/2016 23:40:02  08/22/2016 23:39:59  krbtgt/TESTRELM@TESTRE

# kinit -E talias
Password for talias\@ent.test@TESTRELM: 
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_JEDF6Xy
Default principal: tuser@TESTRELM

Valid starting       Expires              Service principal
08/21/2016 23:40:37  08/22/2016 23:40:34  krbtgt/TESTRELM@TESTRELM
Comment 10 errata-xmlrpc 2016-11-04 07:16:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html