Bug 1378722

Summary: [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Sudhir Menon <sumenon>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: enewland, grajaiya, jhrozek, ksiddiqu, lslebodn, mkosek, mzidek, pbrezina, sbose, sgoveas
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.15.1-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:00:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Helper to verify ticket for getorigbyname none

Description Jakub Hrozek 2016-09-23 08:10:33 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/3194

Currently GETSIDBYNAME and GETORIGBYNAME can only handled request with a (fully-qualified) user name but not with UPNs, email addresses or aliases which might have a different domain component.

This can e.g. be seen when trying to add an IPA user-overrride when a UPN is used instead of a user name.
{{{
# getent passwd cu1
cu1.devel:*:1296801104:1296801104:c u:/home/ChIlD.ad.devel/cu1:
# ipa idoverrideuser-add "Default Trust View" cu1
ipa: ERROR: cu1: user not found
}}}
Comment 1 Jakub Hrozek 2016-10-10 10:37:00 UTC 
* master: dcdf292567d50e5cc527766c1944dcf6a8ecacc5
Comment 3 Martin Kosek 2017-05-26 09:39:51 UTC 
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here:
https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available

The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html

IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!
Comment 4 Sudhir Menon 2017-05-31 07:05:40 UTC 
Tested on RHEL7.4 using

ipa-server-4.5.0-13.el7.x86_64
389-ds-base-1.3.6.1-15.el7.x86_64
sssd-1.15.2-37.el7.x86_64
selinux-policy-3.13.1-152.el7.noarch
krb5-server-1.15.1-8.el7.x86_64
pki-server-10.4.1-6.el7.noarch


    [root@autohv02 ~]# ipa trust-find
    ----------------
    1 trusts matched
    ----------------
   
      Realm name: pne.qe
      Domain NetBIOS name: PNE
      Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778
      Trust type: Active Directory domain
      UPN suffixes: test.qa, pune.in
    ----------------------------
    Number of entries returned 1
    ----------------------------
     
     
    [root@autohv02 ~]# id aduser20
    uid=1261601533(aduser20) gid=1261601533(aduser20) groups=1261601533(aduser20),1261600513(domain users)
     
    [root@autohv02 ~]# id aduser20
    uid=1261601533(aduser20) gid=1261601533(aduser20) groups=1261601533(aduser20),1261600513(domain users)
     
    [root@autohv02 ~]# getent passwd aduser20
    aduser20:*:1261601533:1261601533:aduser20:/home/pne.qe/aduser20:
     
    [root@autohv02 ~]# ipa idoverrideuser-add "Default Trust View" aduser20
    -----------------------------------------
    Added User ID override "aduser20"
    -----------------------------------------
      Anchor to override: aduser20
     
    [root@autohv02 ~]# ipa idoverrideuser-find "Default Trust View"
    --------------------------
    1 User ID override matched
    --------------------------
      Anchor to override: aduser20
    ----------------------------
    Number of entries returned 1
    ----------------------------
Comment 5 Lukas Slebodnik 2017-05-31 07:57:40 UTC 
I do not think that previous steps verify the bug. "id user" does not cover operations GETSIDBYNAME or GETORIGBYNAME.

I think we would need to use python binding.

  import pysss_nss_idmap
  pysss_nss_idmap.getsidbyname(name)
Comment 6 Lukas Slebodnik 2017-05-31 07:59:06 UTC 
Sumit,
you are an author of the patch. Could you confirm my suspicion?
or even better provide better steps to reproduce.
Comment 7 Sumit Bose 2017-05-31 08:28:25 UTC 
Yes, the 'id' command uses a different code path in the SSSD nss responder which was already aware of UPNs/emails.

The python bindings are the most easy way to test the getsidbyname and getorigbyname requests.
Comment 8 Sumit Bose 2017-05-31 09:49:20 UTC 
Example:

[root@ipa-devel-f25 ~]# python
Python 2.7.13 (default, Jan 12 2017, 17:58:54) 
[GCC 6.3.1 20161221 (Red Hat 6.3.1-1)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pysss_nss_idmap
>>> pysss_nss_idmap.getsidbyname('Administrator')
{'Administrator': {'type': 3, 'sid': u'S-1-5-21-3692237560-1981608775-3610128199-500'}}
>>>
Comment 9 Sudhir Menon 2017-05-31 13:38:54 UTC 
Tested on RHEL7.4

ipa-server-4.5.0-14.el7.x86_64
samba-4.6.2-4.el7.x86_64
389-ds-base-1.3.6.1-15.el7.x86_64
ipa-server-4.5.0-14.el7.x86_64
sssd-1.15.2-37.el7.x86_64
selinux-policy-3.13.1-154.el7.noarch
krb5-server-1.15.1-8.el7.x86_64
pki-server-10.4.1-7.el7.noarch


[root@ibmserver ~]# python
Python 2.7.5 (default, May  3 2017, 07:55:04) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-14)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pysss_nss_idmap
>>> pysss_nss_idmap.getsidbyname('aduser2')
{'aduser2': {'type': 3, 'sid': u'S-1-5-21-2202318585-426110948-4011710778-1539'}}

Search with UPN set for the same trusted AD user.
>>> pysss_nss_idmap.getsidbyname('aduser2')
{'aduser2': {'type': 3, 'sid': u'S-1-5-21-2202318585-426110948-4011710778-1539'}}
Comment 11 Sumit Bose 2017-05-31 14:15:34 UTC 
Created attachment 1283805 [details]
Helper to verify ticket for getorigbyname
Comment 12 Sudhir Menon 2017-05-31 17:53:05 UTC 
Getorigbyname also works fine.

[root@ibmserver ~]# ./getorigbyname aduser2
User [aduser2] found.
[root@ibmserver ~]# ./getorigbyname aduser2
User [aduser2] found.


Marking the bug VERIFIED as per comment 9 and 12.
Comment 13 errata-xmlrpc 2017-08-01 09:00:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294