Bug 1254184 – sss_override does not work correctly when 'use_fully_qualified_names = True'

Bug 1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'

Summary:	sss_override does not work correctly when 'use_fully_qualified_names = True'

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd (Show other bugs)
Sub Component:
Version:	7.2
Hardware:	Unspecified Unspecified

Priority	medium Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Pavel Březina
QA Contact:	Kaushik Banerjee
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2015-08-17 07:45 EDT by Dan Lavu
Modified:	2015-11-19 06:39 EST (History)
CC List:	9 users (show)

See Also:
Fixed In Version:	sssd-1.13.0-24.el7
Doc Type:	Bug Fix
Doc Text:	Cause: Domain has use_fully_qualified_names set to true and then sss_override tool is unable to find user or group. Consequence: Local overrides can not be created. Fix: sss_override correctly finds user and groups even when fully qualified name is required. Result: Local overrides can be created.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-11-19 06:39:53 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:2355	normal	SHIPPED_LIVE	Low: sssd security, bug fix, and enhancement update	2015-11-19 05:27:42 EST

Groups: None (edit)

Description Dan Lavu 2015-08-17 07:45:01 EDT

Description of problem:

sss_override does not work correctly when use_fully_qualified_names = True 

Version-Release number of selected component (if applicable):
sssd-tools-1.13.0-11.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
Try to add an override user when 'use_fully_qualified_names = True', for example 'sss_override user-add dlavu@sssd2012.com -n dlavu1@sssd2012.com'

Actual results:

[root@rhel72beta db]# sss_override user-add dlavu@sssd2012.com -n dlavu1@sssd2012.com --debug 0x3ff0
(Mon Aug 17 12:25:31:014019 2015) [sssd] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
(Mon Aug 17 12:25:31:014114 2015) [sssd] [confdb_get_domain_internal] (0x0400): No enumeration for [sssd2012.com]!
(Mon Aug 17 12:25:31:014149 2015) [sssd] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1
(Mon Aug 17 12:25:31:014171 2015) [sssd] [sysdb_domain_init_internal] (0x0200): DB File for sssd2012.com: /var/lib/sss/db/cache_sssd2012.com.ldb
(Mon Aug 17 12:25:31:014223 2015) [sssd] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Mon Aug 17 12:25:31:014318 2015) [sssd] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(Mon Aug 17 12:25:31:014324 2015) [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Mon Aug 17 12:25:31:014380 2015) [sssd] [sss_parse_name_for_domains] (0x0200): name 'dlavu@sssd2012.com' matched expression for domain 'sssd2012.com', user is dlavu
Unable to find user dlavu@sssd2012.com.

Expected results:
[root@rhel72beta db]# sss_override user-add dlavu@sssd2012.com -n dlavu1@sssd2012.com --debug 0x3ff0
(Mon Aug 17 12:22:03:866318 2015) [sssd] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
(Mon Aug 17 12:22:03:866410 2015) [sssd] [confdb_get_domain_internal] (0x0400): No enumeration for [sssd2012.com]!
(Mon Aug 17 12:22:03:866435 2015) [sssd] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1
(Mon Aug 17 12:22:03:866456 2015) [sssd] [sysdb_domain_init_internal] (0x0200): DB File for sssd2012.com: /var/lib/sss/db/cache_sssd2012.com.ldb
(Mon Aug 17 12:22:03:866504 2015) [sssd] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Mon Aug 17 12:22:03:866595 2015) [sssd] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(Mon Aug 17 12:22:03:866601 2015) [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Mon Aug 17 12:22:03:866657 2015) [sssd] [sss_parse_name_for_domains] (0x0200): name 'dlavu@sssd2012.com' matched expression for domain 'sssd2012.com', user is dlavu
(Mon Aug 17 12:22:03:883083 2015) [sssd] [get_object_dn_and_domain] (0x0400): Trying to find user dlavu@sssd2012.com
(Mon Aug 17 12:22:03:883168 2015) [sssd] [get_object_dn_and_domain] (0x0400): Domain of user dlavu is sssd2012.com
(Mon Aug 17 12:22:03:883186 2015) [sssd] [prepare_view] (0x0400): Creating LOCAL view.
SSSD needs to be restarted for the changes to take effect.

Additional info:

Comment 2 Jakub Hrozek 2015-08-17 08:39:50 EDT

Upstream ticket:
https://fedorahosted.org/sssd/ticket/2757

Comment 3 Jakub Hrozek 2015-08-19 18:11:19 EDT

Patch acked upstream, acking for RHEL

Comment 4 Jakub Hrozek 2015-08-20 16:42:10 EDT

* master: 7eba58cfcf78e61af1c4ff98619aa97223eb7a5b

Comment 6 Dan Lavu 2015-09-02 13:15:52 EDT

This is working in sssd-client-1.13.0-24.el7.x86_64 , however the override id doesn't return using getent.

[root@rhel72 ~]# sss_override user-add dlavu@sssd2012.com  -n dlavu1@sssd2012.com 
SSSD needs to be restarted for the changes to take effect.

[root@rhel72 ~]# service sssd restart
Redirecting to /bin/systemctl restart  sssd.service

[root@rhel72 ~]# getent passwd dlavu1

[root@rhel72 ~]# getent passwd dlavu1@sssd2012.com

[root@rhel72 ~]# getent passwd dlavu@sssd2012.com
dlavu1@sssd2012.com@sssd2012.com:*:349001105:349000513:Dan Lavu:/home/dlavu1@sssd2012.com:/bin/bash

Comment 7 Jakub Hrozek 2015-09-02 15:14:01 EDT

I would suggest to try looking at the logs if dlavu1 was maybe already negatively cached from previous test runs. If not, then please file a new bug.

Thank you very much for testing!

Comment 8 Dan Lavu 2015-09-02 16:34:03 EDT

https://bugzilla.redhat.com/show_bug.cgi?id=1259512 - Filed.

Comment 9 Dan Lavu 2015-09-21 06:13:36 EDT

Verified, testing against sssd-1.13.0-26.el7.x86_64.

####################################

[root@test ~]# sss_override user-add -n dlavu1@sssd2012.com dlavu@sssd2012.com
SSSD needs to be restarted for the changes to take effect.

[root@test ~]# service sssd restart

####################################

[sssd]
domains = sssd2012.com
config_file_version = 2
services = nss, pam

[domain/sssd2012.com]
ad_domain = sssd2012.com
krb5_realm = SSSD2012.COM
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

####################################

Comment 10 errata-xmlrpc 2015-11-19 06:39:53 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html

Note You need to log in before you can comment on or make changes to this bug.