Hide Forgot
Description of problem: When sssd is joined to and AD forest the trusted domains users will not have a homedir path or shell. RHEL7 sssd not setting IPA AD trusted user homedir https://bugzilla.redhat.com/show_bug.cgi?id=1034920 Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. Join root forest domain realm join --user=Administrator sssdad.com sssd.conf [domain/sssdad.com] ad_domain = sssdad.com krb5_realm = SSSDAD.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u access_provider = ad 2. Forest has child and/or other tree trust. # getent passwd Administrator@sssdad.com administrator@sssdad.com:*:498200500:498200513:Administrator:/home/sssdad.com/administrator:/bin/bash # getent passwd Administrator@child1.sssdad.com administrator@child1.sssdad.com:*:1184400500:1184400500:Administrator:/: # getent passwd Administrator@sssdad_tree.com administrator@sssdad_tree.com:*:525400500:525400500:Administrator:/: Actual results: homedir path is / and not shell is in getent. Expected results: the homedir and shell is inherited from the parent Additional info: When global settings are used. [nss] default_shell = /bin/bash fallback_homedir = /home/%d/%u %u differs between the parent domain and the other two domains. # getent passwd Administrator@sssdad.com administrator@sssdad.com:*:498200500:498200513:Administrator:/home/sssdad.com/administrator:/bin/bash # getent passwd Administrator@child1.sssdad.com administrator@child1.sssdad.com:*:1184400500:1184400500:Administrator:/home/child1.sssdad.com/administrator@child1.sssdad.com:/bin/bash # getent passwd Administrator@sssdad_tree.com administrator@sssdad_tree.com:*:525400500:525400500:Administrator:/home/sssdad_tree.com/administrator@sssdad_tree.com:/bin/bash
Upstream ticket: https://fedorahosted.org/sssd/ticket/2196
Pushed upstream. master: c373732505c9a73a9a8b17533dafc618c95ea331 d57529a867940e83ed27f8c2326bde7f07db7b9a sssd-1-11: 156bbc97b3ebb8df42b658b8ab04c00f0d312eec 654fa152629cf93d6681d138eb806247fca4d9ae
Tested the override setting in the domain section with sssd-1.11.2-27.el7 and looks like its fixed. [domain/sssdad.com] default_shell = /bin/bash override_homedir = /home/%d/%u administrator@sssdad.com:*:498200500:498200513:Administrator:/home/sssdad.com/administrator:/bin/bash administrator@child1.sssdad.com:*:1184400500:1184400500:Administrator:/home/child1.sssdad.com/administrator:/bin/bash administrator@sssdad_tree.com:*:525400500:525400500:Administrator:/home/sssdad_tree.com/administrator:/bin/bash override_homedir = /home/%f administrator@sssdad.com:*:498200500:498200513:Administrator:/home/administrator@sssdad.com:/bin/bash administrator@child1.sssdad.com:*:1184400500:1184400500:Administrator:/home/administrator@child1.sssdad.com:/bin/bash administrator@sssdad_tree.com:*:525400500:525400500:Administrator:/home/administrator@sssdad_tree.com:/bin/bash I did see one small odd item. After removing the override and just leaving fallback_homedir in the [nss] section this showed up This one looks ok. [nss] fallback_homedir = /home/%d/%u administrator@sssdad.com:*:498200500:498200513:Administrator:/home/sssdad.com/administrator:/bin/bash administrator@child1.sssdad.com:*:1184400500:1184400500:Administrator:/home/child1.sssdad.com/administrator:/bin/bash administrator@sssdad_tree.com:*:525400500:525400500:Administrator:/home/sssdad_tree.com/administrator:/bin/bash But this setting seems to not quite follow the expected behavior. The subdomains still do have the /home/%d/%u format even though fallback_homedir = /home/%f is in use. administrator@sssdad.com:*:498200500:498200513:Administrator:/home/administrator@sssdad.com:/bin/bash administrator@child1.sssdad.com:*:1184400500:1184400500:Administrator:/home/child1.sssdad.com/administrator:/bin/bash administrator@sssdad_tree.com:*:525400500:525400500:Administrator:/home/sssdad_tree.com/administrator:/bin/bash If fallback_homedir is used in the domain section the same thing happens as the nss section. I could be misunderstanding the man pages, but it does not read like the fallback_homedir options is to be used in the domain section. If it is invalid this last part may not be an issue but ill need to make sure realmd is not writing in sssd.conf by default.
Jeremy, I think you stumbled upon the same mistake we realized on the devel list..currently the default for subdomain_homedir is always set even if the option is omitted from the config file. What we agreed on is to only make the subdomain_homedir work in the case of IPA trusts and adjust documentation accordingly. Changing the subdomain_homedir default is not an option as the configurations that might rely on existing default are already out there.. We'll prepare a new fix.
Verified in version 1.11.2-29.el7 Output from beaker automation run: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_forest_05: bz 1053106 subdomain do not inherit fallbacks and overrides settings :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: /home/sssdad.com/user1_dom1 :: [ PASS ] :: Running 'getent passwd user1_dom1@sssdad.com | awk -F: '{print $6}' | grep '/home/sssdad.com/user1_dom1'' (Expected 0, got 0) /home/sssdad_tree.com/user1_dom2 :: [ PASS ] :: Running 'getent passwd user1_dom2@sssdad_tree.com | awk -F: '{print $6}' | grep '/home/sssdad_tree.com/user1_dom2'' (Expected 0, got 0) /home/child1.sssdad.com/user1_dom3 :: [ PASS ] :: Running 'getent passwd user1_dom3@child1.sssdad.com | awk -F: '{print $6}' | grep '/home/child1.sssdad.com/user1_dom3'' (Expected 0, got 0)
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.