Bug 969882

Summary: Fully qualified account names form should be able to use flatname in the fq format
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED CURRENTRELEASE QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: grajaiya, jgalipea, pbrezina, sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.10.0-10.el7.beta2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:39:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2013-06-02 21:56:57 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1648

Subdomains (and even IPA when configured with trusts) can be identified in 2 ways, fully qualified domain name and flatname.
When these subdomains are Windows AD trusted domains it would be nice to be able to fully qualify names using the flatname instead of the DNS name as windows environments use FLATNAME\username as the preferred form to qualify user names, and we should be able to provide this as a possibility.

Comment 1 Jakub Hrozek 2013-06-06 09:49:47 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1468

Comment 2 Jakub Hrozek 2013-10-04 13:25:15 UTC
Temporarily moving bugs to MODIFIED to work around errata tool bug

Comment 4 Steeve Goveas 2014-01-06 15:20:38 UTC
* FLATNAME\username can be used in trusted environment

[root@dhcp207-43 ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

[root@dhcp207-43 ~]# ipa idrange-find
----------------
3 ranges matched
----------------
  Range name: ADTEST.QE_id_range
  First Posix ID of the range: 1148400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
  Range type: Active Directory domain range

  Range name: PUNE.ADTEST.QE_id_range
  First Posix ID of the range: 839000000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-91314187-2404433721-1858927112
  Range type: Active Directory domain range

  Range name: TESTRELM.COM_id_range
  First Posix ID of the range: 1741800000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 3
----------------------------

[root@dhcp207-43 ~]# getent passwd 'PUNE\testu1'
testu1.qe:*:839001108:839001108:testu1 user:/:

[root@dhcp207-43 ~]# getent passwd 'PUNE\adnew1'
adnew1.qe:*:839001107:839001107:new user:/:

[root@dhcp207-43 ~]# getent passwd 'ADTEST\aduser2'
aduser2:*:1148401314:1148401314:ads2 user:/:

[root@dhcp207-43 ~]# rpm -q ipa-server sssd
ipa-server-3.3.3-8.el7.x86_64
sssd-1.11.2-18.el7.x86_64

Comment 5 Kaushik Banerjee 2014-01-13 11:21:34 UTC
Also automated as part of direct enrolment with sssd. Verified with version 1.11.2-18.el7

Snippet from beaker automation run:

user1_dom1:*:770843877:770800513:user1_dom1:/:
:: [   PASS   ] :: Running 'getent passwd $AD_SERVER1_SHORT_REALM\\user1_dom1' (Expected 0, got 0)
user1_dom2:*:295201317:295201317:user1_dom2:/:
:: [   PASS   ] :: Running 'getent passwd $AD_SERVER2_SHORT_REALM\\user1_dom2' (Expected 0, got 0)
user1_dom3.com:*:1290801310:1290801310:user1_dom3:/:
:: [   PASS   ] :: Running 'getent passwd $AD_SERVER3_SHORT_REALM\\user1_dom3' (Expected 0, got 0)

Comment 6 Ludek Smid 2014-06-13 11:39:06 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.