Bug 1327272
| Summary: | local overrides: issues with sub-domain users and mixed case names | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jakub Hrozek <jhrozek> |
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Steeve Goveas <sgoveas> |
| Severity: | unspecified | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
| Priority: | unspecified | ||
| Version: | 6.8 | CC: | apetrova, grajaiya, jhrozek, lslebodn, mkosek, mniranja, mzidek, pbrezina, sgoveas, sssd-maint |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.13.3-36.el6 | Doc Type: | Bug Fix |
| Doc Text: |
SSSD correctly creates local overrides in an AD environment
Previously, the `sss_override` utility created case-insensitive distinguished names (DNs) when the `id_provider` option was set to `ad` in the `/etc/sssd/sssd.conf` file. However, the DNs in the SSSD cache are stored as case-sensitive. As a consequence, local overrides were not created for users from the Active Directory (AD) subdomain and for users with mixed-case account names. With this update, SSSD searches the object in the cache and uses the DN from the search result. This fixes the problem in the mentioned situation.
|
Story Points: | --- |
| Clone Of: | 1327270 | Environment: | |
| Last Closed: | 2017-03-21 09:55:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1327270 | ||
| Bug Blocks: | |||
|
Description
Jakub Hrozek
2016-04-14 15:58:47 UTC
master:
32dd0dd34193a7566d83adf6845f5194decc3304
e45096aead1d2e2b8f8b2b386b420c5f62ad07d3
3a8b5ccf7c27b72054e1d8b3ab355cb1e28efda9
e6e2d1575ac7feb3494649f94ef51ef13cbdce48
sssd-1-13:
279a9cd4e56522590f844a3ddde2235098065133
baadb2467521b4da61e9c205d9549c750fad3eae
a6c3abd6b9b23477ad6008852371937d16679778
f3f312492a925e2efe1457a7cb8ab5b459eaef68
Versions: ======== Reproducer: sssd-ldap-1.13.3-22.el6.x86_64 python-sssdconfig-1.13.3-22.el6.noarch sssd-client-1.13.3-22.el6.x86_64 sssd-common-1.13.3-22.el6.x86_64 sssd-proxy-1.13.3-22.el6.x86_64 sssd-krb5-common-1.13.3-22.el6.x86_64 sssd-ipa-1.13.3-22.el6.x86_64 sssd-krb5-1.13.3-22.el6.x86_64 sssd-common-pac-1.13.3-22.el6.x86_64 sssd-ad-1.13.3-22.el6.x86_64 sssd-1.13.3-22.el6.x86_64 sssd-tools-1.13.3-22.el6.x86_64 AD Configurations ================ JUNO.TEST (parent domain controller) JUPITER.JUNO.TEST (subdomain controller) 1. Override a AD user from parent domain [root@hulk ~]# id idmfoo1 uid=842004188(idmfoo1) gid=842000513(domain users) groups=842000513(domain users),842004189(users) 2. Set local unix id 5679 [root@hulk ~]# sss_override user-add idmfoo1 -u 5678 [root@hulk ~]# service sssd restart Stopping sssd: [ OK ] Starting sssd: [ OK ] [root@hulk ~]# id idmfoo1 [root@hulk ~]# id idmfoo1 uid=5678(idmfoo1) gid=842000513(domain users) groups=842000513(domain users),842004189(users) 3. Override and AD user from sub domain JUPITER.JUNO.TEST [root@hulk ~]# id idmjuno1.test uid=725801105(idmjuno1.test) gid=725801105(idmjuno1.test) groups=725801105(idmjuno1.test),725800513 [root@hulk ~]# sss_override user-add idmjuno1.test -u 7890 [root@hulk ~]# service sssd restart Stopping sssd: [ OK ] Starting sssd: [ OK ] [root@hulk ~]# id idmjuno1.test uid=725801105(idmjuno1.test) gid=725801105(idmjuno1.test) groups=725801105(idmjuno1.test),725800513 4. Create a Mixed case username and override [root@hulk ~]# id IdmFooBar uid=842004189(idmfoobar) gid=842000513(domain users) groups=842000513(domain users),842004189(users) [root@hulk db]# sss_override user-add IdmFooBar -u 7890 SSSD needs to be restarted for the changes to take effect. [root@hulk db]# sss_override user-add IdmFooBar -u 7890 SSSD needs to be restarted for the changes to take effect. [root@hulk db]# service sssd restart Stopping sssd: [ OK ] Starting sssd: [ OK ] [root@hulk db]# id IdmFooBar uid=7890(idmfoobar) gid=842000513(domain users) groups=842000513(domain users) [root@hulk db]# id idmfoobar uid=7890(idmfoobar) gid=842000513(domain users) groups=842000513(domain users) [root@hulk db]# sss_override user-add IdmFooBar -u 9870 [root@hulk db]# service sssd restart Stopping sssd: [ OK ] Starting sssd: [ OK ] [root@hulk db]# id idmfoobar uid=9870(idmfoobar) gid=842000513(domain users) groups=842000513(domain users) 5. Update sssd [root@hulk packages]# rpm -qa | grep sssd python-sssdconfig-1.13.3-54.el6.noarch sssd-krb5-common-1.13.3-54.el6.x86_64 sssd-krb5-1.13.3-54.el6.x86_64 sssd-tools-1.13.3-54.el6.x86_64 sssd-common-1.13.3-54.el6.x86_64 sssd-common-pac-1.13.3-54.el6.x86_64 sssd-ad-1.13.3-54.el6.x86_64 sssd-ldap-1.13.3-54.el6.x86_64 sssd-1.13.3-54.el6.x86_64 sssd-client-1.13.3-54.el6.x86_64 sssd-ipa-1.13.3-54.el6.x86_64 sssd-proxy-1.13.3-54.el6.x86_64 [root@hulk packages]# 6. Verify able to override subdomains [root@hulk packages]# id idmjuno1.test uid=725801105(idmjuno1.test) gid=725801105(idmjuno1.test) groups=725801105(idmjuno1.test),725800513 [root@hulk packages]# sss_override user-add idmjuno1.test -u 7890 [root@hulk packages]# service sssd restart Stopping sssd: [ OK ] Starting sssd: [ OK ] [root@hulk packages]# id idmjuno1.test uid=7890(idmjuno1.test) gid=725801105(idmjuno1.test) groups=725801105(idmjuno1.test),725800513 [root@hulk packages]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 domains = juno.test services = nss, pam case_sensitive = true [domain/juno.test] id_provider = ad auth_provider = ad access_provider = ad default_shell = /bin/bash fallback_homedir = /home/%d/%u use_fully_qualified_names = True debug_level = 9 enumerate = true With regard to Mixed usernames, i could not reproduce the issue as you can see in step4- comment #10. So is there any specific usecase or the steps that can be provided to reproduce the issue and see if the updated package fixes the issue. (In reply to Niranjan Mallapadi Raghavender from comment #12) > With regard to Mixed usernames, i could not reproduce the issue as you can > see in step4- comment #10. > > So is there any specific usecase or the steps that can be provided to > reproduce the issue and see if the updated package fixes the issue. Dan already verified this bug in RHEL-7. See his reproducer in https://bugzilla.redhat.com/show_bug.cgi?id=1327270#c4 Thanks for the update. Below are the commands to override name [root@hulk packages]# sss_override user-add -n AdminChild Administrator.test [root@hulk packages]# service sssd restart Stopping sssd: [ OK ] Starting sssd: [ OK ] [root@hulk packages]# id AdminChild.test uid=725800500(adminchild.test) gid=725800500(adminchild.test) groups=725800500(adminchild.test),725800513 [root@hulk packages]# id adminchild.test uid=725800500(adminchild.test) gid=725800500(adminchild.test) groups=725800500(adminchild.test),725800513 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0632.html |