Bug 1919942

I have confirmed the same behaviour in RHEL 8.3 (4.18.0-240.el8.x86_64).

[root@test-vm-4 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.3 (Ootpa)
[root@test-vm-4 ~]# uname -r 
4.18.0-240.el8.x86_64
[root@test-vm-4 ~]# grep override /etc/sssd/sssd.conf 
[root@test-vm-4 ~]# 
[root@test-vm-4 ~]# sss_override user-show rick
[root@test-vm-4 ~]# getent passwd rick
rick:*:549001000:549000513:rick:/home/myhome1:/bin/bash
[root@test-vm-4 ~]# sss_override user-add rick -h /home/myhome3
[root@test-vm-4 ~]# sss_override user-show rick
rick:::::/home/myhome3::
[root@test-vm-4 ~]# systemctl restart sssd
[root@test-vm-4 ~]# getent passwd rick
rick:*:549001000:549000513:rick:/home/myhome3:/bin/bash
[root@test-vm-4 ~]# echo 'override_homedir = /home/myhome2' >> /etc/sssd/sssd.conf 
[root@test-vm-4 ~]# systemctl restart sssd
[root@test-vm-4 ~]# getent passwd rick
rick:*:549001000:549000513:rick:/home/myhome2:/bin/bash

Removing sss_override and re-applying does not help.

[root@test-vm-4 ~]# sss_override user-del rick
[root@test-vm-4 ~]# systemctl restart sssd
[root@test-vm-4 ~]# sss_override user-add rick -h /home/myhome3
[root@test-vm-4 ~]# systemctl restart sssd
[root@test-vm-4 ~]# getent passwd rick
rick:*:549001000:549000513:rick:/home/myhome2:/bin/bash

I have also confirmed the same behaviour occurs when trying to override the loginShell attribute.

Hi,

the question is how the different ways to override the home directory should be ordered. We have the direct overrides, override_homedir and fallback_homedir options. At least the current order should be documented. So far override_homedir is treated as a general override to have a unified assignment of the home directories.

It would be good to know why the customer wants to use override_homedir instead of fallback_homedir?

bye,
Sumit

Hi Sumit,

fallback_homedir will only work when the unixHomeDirectory attribute in Active Directory is undefined. In this particular case, all user accounts in AD have this attribute defined and therefore fallback_homedir will work. The customer did try removing this attribute which then allowed them to use fallback_homedir, but this workaround caused other issues with 3rd party authentication platforms.
Therefore, the customer (and I) expect it work as follows:

- unixHomeDirectory attribute in AD is defined.
- On a particular subset of RHEL servers, override_homedir will be used to set a new home directory.
- On a single server from that subset, the home directory for a single user account needs to be changed, and therefore sss_override is used for this purpose.

I agree the question is around how the overrides should be ordered. Since sss_override provides more granular overriding capabilities, I propose that it should be taking precedence over the override_homedir directive, which today, it does not.

Cheers,
Thomas

Correction in typo in comment #5 (can't edit?) - "all user accounts in AD have this attribute defined and therefore fallback_homedir will NOT work"

Hi,

thanks for the explanation, makes sense. So we should make sure individual overrides are preferred over override_homedir and document the new order in the man page.

bye,
Sumit

Hi,

I've push an initial version of patch to https://github.com/sumit-bose/sssd/commit/65c301b78ebd8f96f34d20e23750b4ded5587d60, tests, man page update etc are still missing.

bye,
Sumit

Upstream ticket:
https://github.com/SSSD/sssd/issues/5589

Pushed PR: https://github.com/SSSD/sssd/pull/5590

* `master`
    * 691fe4944a606e1d56d2f6bb77f5a6045317d4e9 - nss: prefer homedir overrides over override_homedir option

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4435