Bug 1378722
Summary: | [RFE] Make GETSIDBYNAME and GETORIGBYNAME request aware of UPNs and aliases | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Hrozek <jhrozek> | ||||
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | ||||
Status: | CLOSED ERRATA | QA Contact: | Sudhir Menon <sumenon> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.3 | CC: | enewland, grajaiya, jhrozek, ksiddiqu, lslebodn, mkosek, mzidek, pbrezina, sbose, sgoveas | ||||
Target Milestone: | rc | Keywords: | FutureFeature | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | sssd-1.15.1-1.el7 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-08-01 09:00:03 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Jakub Hrozek
2016-09-23 08:10:33 UTC
* master: dcdf292567d50e5cc527766c1944dcf6a8ecacc5 Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here: https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback! Tested on RHEL7.4 using ipa-server-4.5.0-13.el7.x86_64 389-ds-base-1.3.6.1-15.el7.x86_64 sssd-1.15.2-37.el7.x86_64 selinux-policy-3.13.1-152.el7.noarch krb5-server-1.15.1-8.el7.x86_64 pki-server-10.4.1-6.el7.noarch [root@autohv02 ~]# ipa trust-find ---------------- 1 trusts matched ---------------- Realm name: pne.qe Domain NetBIOS name: PNE Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778 Trust type: Active Directory domain UPN suffixes: test.qa, pune.in ---------------------------- Number of entries returned 1 ---------------------------- [root@autohv02 ~]# id aduser20 uid=1261601533(aduser20) gid=1261601533(aduser20) groups=1261601533(aduser20),1261600513(domain users) [root@autohv02 ~]# id aduser20 uid=1261601533(aduser20) gid=1261601533(aduser20) groups=1261601533(aduser20),1261600513(domain users) [root@autohv02 ~]# getent passwd aduser20 aduser20:*:1261601533:1261601533:aduser20:/home/pne.qe/aduser20: [root@autohv02 ~]# ipa idoverrideuser-add "Default Trust View" aduser20 ----------------------------------------- Added User ID override "aduser20" ----------------------------------------- Anchor to override: aduser20 [root@autohv02 ~]# ipa idoverrideuser-find "Default Trust View" -------------------------- 1 User ID override matched -------------------------- Anchor to override: aduser20 ---------------------------- Number of entries returned 1 ---------------------------- I do not think that previous steps verify the bug. "id user" does not cover operations GETSIDBYNAME or GETORIGBYNAME. I think we would need to use python binding. import pysss_nss_idmap pysss_nss_idmap.getsidbyname(name) Sumit, you are an author of the patch. Could you confirm my suspicion? or even better provide better steps to reproduce. Yes, the 'id' command uses a different code path in the SSSD nss responder which was already aware of UPNs/emails. The python bindings are the most easy way to test the getsidbyname and getorigbyname requests. Example: [root@ipa-devel-f25 ~]# python Python 2.7.13 (default, Jan 12 2017, 17:58:54) [GCC 6.3.1 20161221 (Red Hat 6.3.1-1)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import pysss_nss_idmap >>> pysss_nss_idmap.getsidbyname('Administrator') {'Administrator': {'type': 3, 'sid': u'S-1-5-21-3692237560-1981608775-3610128199-500'}} >>> Tested on RHEL7.4 ipa-server-4.5.0-14.el7.x86_64 samba-4.6.2-4.el7.x86_64 389-ds-base-1.3.6.1-15.el7.x86_64 ipa-server-4.5.0-14.el7.x86_64 sssd-1.15.2-37.el7.x86_64 selinux-policy-3.13.1-154.el7.noarch krb5-server-1.15.1-8.el7.x86_64 pki-server-10.4.1-7.el7.noarch [root@ibmserver ~]# python Python 2.7.5 (default, May 3 2017, 07:55:04) [GCC 4.8.5 20150623 (Red Hat 4.8.5-14)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import pysss_nss_idmap >>> pysss_nss_idmap.getsidbyname('aduser2') {'aduser2': {'type': 3, 'sid': u'S-1-5-21-2202318585-426110948-4011710778-1539'}} Search with UPN set for the same trusted AD user. >>> pysss_nss_idmap.getsidbyname('aduser2') {'aduser2': {'type': 3, 'sid': u'S-1-5-21-2202318585-426110948-4011710778-1539'}} Created attachment 1283805 [details]
Helper to verify ticket for getorigbyname
Getorigbyname also works fine. [root@ibmserver ~]# ./getorigbyname aduser2 User [aduser2] found. [root@ibmserver ~]# ./getorigbyname aduser2 User [aduser2] found. Marking the bug VERIFIED as per comment 9 and 12. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2294 |