Bug 1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings
Summary: sssd ad trusted sub domain do not inherit fallbacks and overrides settings
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-14 17:00 UTC by Jeremy Agee
Modified: 2020-05-02 17:35 UTC (History)
8 users (show)

Fixed In Version: sssd-1.11.2-27.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 09:49:21 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 3238 None None None 2020-05-02 17:35:46 UTC

Description Jeremy Agee 2014-01-14 17:00:35 UTC
Description of problem:
When sssd is joined to and AD forest the trusted domains users will not have a homedir path or shell.

RHEL7 sssd not setting IPA AD trusted user homedir
https://bugzilla.redhat.com/show_bug.cgi?id=1034920

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Join root forest domain
 realm join --user=Administrator sssdad.com

sssd.conf

[domain/sssdad.com]
ad_domain = sssdad.com
krb5_realm = SSSDAD.COM
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad

2. Forest has child and/or other tree trust.

# getent passwd Administrator@sssdad.com
administrator@sssdad.com:*:498200500:498200513:Administrator:/home/sssdad.com/administrator:/bin/bash

# getent passwd Administrator@child1.sssdad.com
administrator@child1.sssdad.com:*:1184400500:1184400500:Administrator:/:

# getent passwd Administrator@sssdad_tree.com
administrator@sssdad_tree.com:*:525400500:525400500:Administrator:/:


Actual results:
homedir path is / and not shell is in getent.

Expected results:
the homedir and shell is inherited from the parent

Additional info:

When global settings are used.

[nss]
default_shell = /bin/bash
fallback_homedir = /home/%d/%u

%u differs between the parent domain and the other two domains.

# getent passwd Administrator@sssdad.com
administrator@sssdad.com:*:498200500:498200513:Administrator:/home/sssdad.com/administrator:/bin/bash

# getent passwd Administrator@child1.sssdad.com
administrator@child1.sssdad.com:*:1184400500:1184400500:Administrator:/home/child1.sssdad.com/administrator@child1.sssdad.com:/bin/bash

# getent passwd Administrator@sssdad_tree.com
administrator@sssdad_tree.com:*:525400500:525400500:Administrator:/home/sssdad_tree.com/administrator@sssdad_tree.com:/bin/bash

Comment 2 Jakub Hrozek 2014-01-15 09:12:02 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2196

Comment 3 Jakub Hrozek 2014-01-15 22:00:56 UTC
Pushed upstream.

    master:
        c373732505c9a73a9a8b17533dafc618c95ea331
        d57529a867940e83ed27f8c2326bde7f07db7b9a 
    sssd-1-11:
        156bbc97b3ebb8df42b658b8ab04c00f0d312eec
        654fa152629cf93d6681d138eb806247fca4d9ae

Comment 5 Jeremy Agee 2014-01-16 19:24:58 UTC
Tested the override setting in the domain section with sssd-1.11.2-27.el7 and looks like its fixed.
[domain/sssdad.com]
default_shell = /bin/bash
override_homedir = /home/%d/%u

administrator@sssdad.com:*:498200500:498200513:Administrator:/home/sssdad.com/administrator:/bin/bash
administrator@child1.sssdad.com:*:1184400500:1184400500:Administrator:/home/child1.sssdad.com/administrator:/bin/bash
administrator@sssdad_tree.com:*:525400500:525400500:Administrator:/home/sssdad_tree.com/administrator:/bin/bash

override_homedir = /home/%f

administrator@sssdad.com:*:498200500:498200513:Administrator:/home/administrator@sssdad.com:/bin/bash
administrator@child1.sssdad.com:*:1184400500:1184400500:Administrator:/home/administrator@child1.sssdad.com:/bin/bash
administrator@sssdad_tree.com:*:525400500:525400500:Administrator:/home/administrator@sssdad_tree.com:/bin/bash

I did see one small odd item.  After removing the override and just leaving fallback_homedir in the [nss] section this showed up

This one looks ok.
[nss]
fallback_homedir = /home/%d/%u

administrator@sssdad.com:*:498200500:498200513:Administrator:/home/sssdad.com/administrator:/bin/bash
administrator@child1.sssdad.com:*:1184400500:1184400500:Administrator:/home/child1.sssdad.com/administrator:/bin/bash
administrator@sssdad_tree.com:*:525400500:525400500:Administrator:/home/sssdad_tree.com/administrator:/bin/bash

But this setting seems to not quite follow the expected behavior. The subdomains still do have the /home/%d/%u format even though fallback_homedir = /home/%f is in use.

administrator@sssdad.com:*:498200500:498200513:Administrator:/home/administrator@sssdad.com:/bin/bash
administrator@child1.sssdad.com:*:1184400500:1184400500:Administrator:/home/child1.sssdad.com/administrator:/bin/bash
administrator@sssdad_tree.com:*:525400500:525400500:Administrator:/home/sssdad_tree.com/administrator:/bin/bash

If fallback_homedir is used in the domain section the same thing happens as the nss section. I could be misunderstanding the man pages, but it does not read like the fallback_homedir options is to be used in the domain section. If it is invalid this last part may not be an issue but ill need to make sure realmd is not writing in sssd.conf by default.

Comment 6 Jakub Hrozek 2014-01-20 17:13:30 UTC
Jeremy, I think you stumbled upon the same mistake we realized on the devel list..currently the default for subdomain_homedir is always set even if the option is omitted from the config file.

What we agreed on is to only make the subdomain_homedir work in the case of IPA trusts and adjust documentation accordingly. Changing the subdomain_homedir default is not an option as the configurations that might rely on existing default  are already out there..

We'll prepare a new fix.

Comment 7 Kaushik Banerjee 2014-01-22 05:16:05 UTC
Verified in version 1.11.2-29.el7

Output from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_05: bz 1053106 subdomain do not inherit fallbacks and overrides settings
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

/home/sssdad.com/user1_dom1
:: [   PASS   ] :: Running 'getent passwd user1_dom1@sssdad.com | awk -F: '{print $6}' | grep '/home/sssdad.com/user1_dom1'' (Expected 0, got 0)
/home/sssdad_tree.com/user1_dom2
:: [   PASS   ] :: Running 'getent passwd user1_dom2@sssdad_tree.com | awk -F: '{print $6}' | grep '/home/sssdad_tree.com/user1_dom2'' (Expected 0, got 0)
/home/child1.sssdad.com/user1_dom3
:: [   PASS   ] :: Running 'getent passwd user1_dom3@child1.sssdad.com | awk -F: '{print $6}' | grep '/home/child1.sssdad.com/user1_dom3'' (Expected 0, got 0)

Comment 8 Ludek Smid 2014-06-13 09:49:21 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.


Note You need to log in before you can comment on or make changes to this bug.