RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1053106 - sssd ad trusted sub domain do not inherit fallbacks and overrides settings
Summary: sssd ad trusted sub domain do not inherit fallbacks and overrides settings
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-14 17:00 UTC by Jeremy Agee
Modified: 2020-05-02 17:35 UTC (History)
8 users (show)

Fixed In Version: sssd-1.11.2-27.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 09:49:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3238 0 None None None 2020-05-02 17:35:46 UTC

Description Jeremy Agee 2014-01-14 17:00:35 UTC 
Description of problem:
When sssd is joined to and AD forest the trusted domains users will not have a homedir path or shell.

RHEL7 sssd not setting IPA AD trusted user homedir
https://bugzilla.redhat.com/show_bug.cgi?id=1034920

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Join root forest domain
 realm join --user=Administrator sssdad.com

sssd.conf

[domain/sssdad.com]
ad_domain = sssdad.com
krb5_realm = SSSDAD.COM
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad

2. Forest has child and/or other tree trust.

# getent passwd Administrator
administrator:*:498200500:498200513:Administrator:/home/sssdad.com/administrator:/bin/bash

# getent passwd Administrator.com
administrator.com:*:1184400500:1184400500:Administrator:/:

# getent passwd Administrator
administrator:*:525400500:525400500:Administrator:/:


Actual results:
homedir path is / and not shell is in getent.

Expected results:
the homedir and shell is inherited from the parent

Additional info:

When global settings are used.

[nss]
default_shell = /bin/bash
fallback_homedir = /home/%d/%u

%u differs between the parent domain and the other two domains.

# getent passwd Administrator
administrator:*:498200500:498200513:Administrator:/home/sssdad.com/administrator:/bin/bash

# getent passwd Administrator.com
administrator.com:*:1184400500:1184400500:Administrator:/home/child1.sssdad.com/administrator.com:/bin/bash

# getent passwd Administrator
administrator:*:525400500:525400500:Administrator:/home/sssdad_tree.com/administrator:/bin/bash
Comment 2 Jakub Hrozek 2014-01-15 09:12:02 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2196
Comment 3 Jakub Hrozek 2014-01-15 22:00:56 UTC 
Pushed upstream.

    master:
        c373732505c9a73a9a8b17533dafc618c95ea331
        d57529a867940e83ed27f8c2326bde7f07db7b9a 
    sssd-1-11:
        156bbc97b3ebb8df42b658b8ab04c00f0d312eec
        654fa152629cf93d6681d138eb806247fca4d9ae
Comment 5 Jeremy Agee 2014-01-16 19:24:58 UTC 
Tested the override setting in the domain section with sssd-1.11.2-27.el7 and looks like its fixed.
[domain/sssdad.com]
default_shell = /bin/bash
override_homedir = /home/%d/%u

administrator:*:498200500:498200513:Administrator:/home/sssdad.com/administrator:/bin/bash
administrator.com:*:1184400500:1184400500:Administrator:/home/child1.sssdad.com/administrator:/bin/bash
administrator:*:525400500:525400500:Administrator:/home/sssdad_tree.com/administrator:/bin/bash

override_homedir = /home/%f

administrator:*:498200500:498200513:Administrator:/home/administrator:/bin/bash
administrator.com:*:1184400500:1184400500:Administrator:/home/administrator.com:/bin/bash
administrator:*:525400500:525400500:Administrator:/home/administrator:/bin/bash

I did see one small odd item.  After removing the override and just leaving fallback_homedir in the [nss] section this showed up

This one looks ok.
[nss]
fallback_homedir = /home/%d/%u

administrator:*:498200500:498200513:Administrator:/home/sssdad.com/administrator:/bin/bash
administrator.com:*:1184400500:1184400500:Administrator:/home/child1.sssdad.com/administrator:/bin/bash
administrator:*:525400500:525400500:Administrator:/home/sssdad_tree.com/administrator:/bin/bash

But this setting seems to not quite follow the expected behavior. The subdomains still do have the /home/%d/%u format even though fallback_homedir = /home/%f is in use.

administrator:*:498200500:498200513:Administrator:/home/administrator:/bin/bash
administrator.com:*:1184400500:1184400500:Administrator:/home/child1.sssdad.com/administrator:/bin/bash
administrator:*:525400500:525400500:Administrator:/home/sssdad_tree.com/administrator:/bin/bash

If fallback_homedir is used in the domain section the same thing happens as the nss section. I could be misunderstanding the man pages, but it does not read like the fallback_homedir options is to be used in the domain section. If it is invalid this last part may not be an issue but ill need to make sure realmd is not writing in sssd.conf by default.
Comment 6 Jakub Hrozek 2014-01-20 17:13:30 UTC 
Jeremy, I think you stumbled upon the same mistake we realized on the devel list..currently the default for subdomain_homedir is always set even if the option is omitted from the config file.

What we agreed on is to only make the subdomain_homedir work in the case of IPA trusts and adjust documentation accordingly. Changing the subdomain_homedir default is not an option as the configurations that might rely on existing default  are already out there..

We'll prepare a new fix.
Comment 7 Kaushik Banerjee 2014-01-22 05:16:05 UTC 
Verified in version 1.11.2-29.el7

Output from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_05: bz 1053106 subdomain do not inherit fallbacks and overrides settings
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

/home/sssdad.com/user1_dom1
:: [   PASS   ] :: Running 'getent passwd user1_dom1 | awk -F: '{print $6}' | grep '/home/sssdad.com/user1_dom1'' (Expected 0, got 0)
/home/sssdad_tree.com/user1_dom2
:: [   PASS   ] :: Running 'getent passwd user1_dom2 | awk -F: '{print $6}' | grep '/home/sssdad_tree.com/user1_dom2'' (Expected 0, got 0)
/home/child1.sssdad.com/user1_dom3
:: [   PASS   ] :: Running 'getent passwd user1_dom3.com | awk -F: '{print $6}' | grep '/home/child1.sssdad.com/user1_dom3'' (Expected 0, got 0)
Comment 8 Ludek Smid 2014-06-13 09:49:21 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.