Bug 2061795
Summary: | Unable to lookup AD user if the AD group contains '@' symbol | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | Abhijit Roy <abroy> |
Component: | sssd | Assignee: | Tomas Halman <thalman> |
Status: | CLOSED ERRATA | QA Contact: | shridhar <sgadekar> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 9.0 | CC: | atikhono, grajaiya, jhrozek, lslebodn, mzidek, pbrezina, sgadekar, thalman, tscherf |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | sync-to-jira | ||
Fixed In Version: | sssd-2.7.1-2.el9 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-11-15 11:17:22 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Abhijit Roy
2022-03-08 14:55:58 UTC
(In reply to Abhijit Roy from comment #0) > Description of problem: > > Unable to lookup AD user if the AD group contains '@' symbol > > Workaround: Adding re_expression = > (((?P<name>.+)@(?P<domain>[^@]+$))|(^(?P<name>[^@\\]+)$)) on the IPA server > and client's /etc/sssd/sssd.conf IIUC, this ^^ is not a "workaround" but a valid way to cater for this requirement. I.e. this is not a bug, but rather "by design"... Thanks for your reply. I thought '@' in group names, there were some issues some years ago but nowadays SSSD is able to handle '@' signs in group names. Which actually sssd does on IPA server and AD joined host but not on IPA client. [root@-ad ~]# id alleysh uid=974001325(alleysh) gid=974000513(domain users) groups=974000513(domain users),974001510(alok@testgroup),974001402(linux sudo),974001289(grp10),974001281(grp2),974001288(grp9) [root@alok-ad ~]# client_loop: send disconnect: Broken pipe abhijitroy@abroy-mac ~ % Feel free to close the bz if the 're_expression' is mandatory on the IPA client side. Upstream PR: https://github.com/SSSD/sssd/pull/6044 Pushed PR: https://github.com/SSSD/sssd/pull/6044 * `master` * dde276e251ca0210757407b0013578d2e789bf60 - TESTS: New tests for IPA/AD re_expression default * c159f52995d211e0ccc72b918f441bd1497549f6 - usertools: move default re_expression definition * 0c0705e301886a5af5f0f9ed947d23e00851a104 - usertools: better default for IPA/AD re_expression Additional PR: https://github.com/SSSD/sssd/pull/6205 Pushed PR: https://github.com/SSSD/sssd/pull/6205 * `master` * 9656516b9af2b3ea4627eab42f11c7667564020f - names: only check sub-domains for regex match * `sssd-2-7` * 536dc9e4f72503942e659ca0dbd022d3dfac148f - names: only check sub-domains for regex match Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:8325 |