Bug 2196816

Summary: [RHEL9] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed'
Product: Red Hat Enterprise Linux 9 Reporter: Alexey Tikhonov <atikhono>
Component: sssdAssignee: Sumit Bose <sbose>
Status: VERIFIED --- QA Contact: Madhuri <mupadhye>
Severity: medium Docs Contact:
Priority: high    
Version: 9.1CC: aboscatt, pbrezina, sgadekar
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.9.1-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2196839 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2196839    
Deadline: 2023-06-05   

Description Alexey Tikhonov 2023-05-10 10:18:06 UTC 
This bug was initially created as a copy of Bug #2192708

I am copying this bug because: to track fix for RHEL9



## Description of problem ##
Trusted AD user information cannot be retrieved from IPA clients if trusted user name contains upper/mixed case characters and is configured with overrides.
IDM server is able to see the user running the same pkg release.

Operation returns:
~~~
(2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_get_list_next] (0x0040): [RID#2] s2n exop request failed.
(2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_get_list_done] (0x0040): [RID#2] s2n get_fqlist request failed.
~~~

## Version-Release number of selected component (if applicable) ##
sssd-2.7.3-4.el8_7.3.x86_64


## How reproducible ##
Always


## Steps to Reproduce ##
1. Deploy a user in AD with uppercase/mixed chars name (e.g., Con81001)
2. Configure a override for this user in IPA (sshPublicKey)
3. Perform user lookup or authentication attempt


## Actual results ##
id: ‘con81001.com’: no such user


## Expected results ##
uid=645601103(con81001.com) gid=645601103(con81001.com) groups=645601103(con81001.com)


## Additional info ##

Request from client fails with:
~~~
(2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_get_list_step] (0x0400): [RID#2] Sending request_type: [REQ_FULL_WITH_MEMBERS] for object [con81001.com].
(2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_exop_send] (0x0400): [RID#2] Executing extended operation
(2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_exop_send] (0x2000): [RID#2] ldap_extended_operation sent, msgid = 17
-- snip --
(2023-04-20 16:16:27): [be[ipa.example.com]] [sdap_call_op_callback] (0x20000): [RID#2] Handling LDAP operation [17][server: [172.20.90.211:389] IPA EXOP] took [207.742] milliseconds.
(2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_exop_done] (0x0040): [RID#2] ldap_extended_operation result: No such object(32), (null).
(2023-04-20 16:16:27): [be[ipa.example.com]] [sdap_op_destructor] (0x2000): [RID#2] Operation 17 finished
(2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_get_list_next] (0x0040): [RID#2] s2n exop request failed.
(2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_get_list_done] (0x0040): [RID#2] s2n get_fqlist request failed.
(2023-04-20 16:16:27): [be[ipa.example.com]] [sdap_id_op_done] (0x4000): [RID#2] releasing operation connection
~~~
Comment 1 Alexey Tikhonov 2023-05-10 10:33:30 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/6721
Comment 4 Alexey Tikhonov 2023-05-15 12:27:09 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6721

* `master`
    * 01d02794e02f051ea9a78cd63b30384de3e7c9b0 - sysdb: fix string comparison when checking for overrides
* `sssd-2-9`
    * d104c01f1b3198779addee8178b10b047e64deb9 - sysdb: fix string comparison when checking for overrides