Bug 1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'
Summary: sss_override does not work correctly when 'use_fully_qualified_names = True'
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.2
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Pavel Březina
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-17 11:45 UTC by Dan Lavu
Modified: 2020-05-02 18:09 UTC (History)
9 users (show)

Fixed In Version: sssd-1.13.0-24.el7
Doc Type: Bug Fix
Doc Text:
Cause: Domain has use_fully_qualified_names set to true and then sss_override tool is unable to find user or group. Consequence: Local overrides can not be created. Fix: sss_override correctly finds user and groups even when fully qualified name is required. Result: Local overrides can be created.
Clone Of:
Environment:
Last Closed: 2015-11-19 11:39:53 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 3798 None None None 2020-05-02 18:09:03 UTC
Red Hat Product Errata RHSA-2015:2355 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2015-11-19 10:27:42 UTC

Description Dan Lavu 2015-08-17 11:45:01 UTC
Description of problem:

sss_override does not work correctly when use_fully_qualified_names = True 

Version-Release number of selected component (if applicable):
sssd-tools-1.13.0-11.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
Try to add an override user when 'use_fully_qualified_names = True', for example 'sss_override user-add dlavu@sssd2012.com -n dlavu1@sssd2012.com'

Actual results:

[root@rhel72beta db]# sss_override user-add dlavu@sssd2012.com -n dlavu1@sssd2012.com --debug 0x3ff0
(Mon Aug 17 12:25:31:014019 2015) [sssd] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
(Mon Aug 17 12:25:31:014114 2015) [sssd] [confdb_get_domain_internal] (0x0400): No enumeration for [sssd2012.com]!
(Mon Aug 17 12:25:31:014149 2015) [sssd] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1
(Mon Aug 17 12:25:31:014171 2015) [sssd] [sysdb_domain_init_internal] (0x0200): DB File for sssd2012.com: /var/lib/sss/db/cache_sssd2012.com.ldb
(Mon Aug 17 12:25:31:014223 2015) [sssd] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Mon Aug 17 12:25:31:014318 2015) [sssd] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(Mon Aug 17 12:25:31:014324 2015) [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Mon Aug 17 12:25:31:014380 2015) [sssd] [sss_parse_name_for_domains] (0x0200): name 'dlavu@sssd2012.com' matched expression for domain 'sssd2012.com', user is dlavu
Unable to find user dlavu@sssd2012.com.

Expected results:
[root@rhel72beta db]# sss_override user-add dlavu@sssd2012.com -n dlavu1@sssd2012.com --debug 0x3ff0
(Mon Aug 17 12:22:03:866318 2015) [sssd] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
(Mon Aug 17 12:22:03:866410 2015) [sssd] [confdb_get_domain_internal] (0x0400): No enumeration for [sssd2012.com]!
(Mon Aug 17 12:22:03:866435 2015) [sssd] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1
(Mon Aug 17 12:22:03:866456 2015) [sssd] [sysdb_domain_init_internal] (0x0200): DB File for sssd2012.com: /var/lib/sss/db/cache_sssd2012.com.ldb
(Mon Aug 17 12:22:03:866504 2015) [sssd] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Mon Aug 17 12:22:03:866595 2015) [sssd] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(Mon Aug 17 12:22:03:866601 2015) [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Mon Aug 17 12:22:03:866657 2015) [sssd] [sss_parse_name_for_domains] (0x0200): name 'dlavu@sssd2012.com' matched expression for domain 'sssd2012.com', user is dlavu
(Mon Aug 17 12:22:03:883083 2015) [sssd] [get_object_dn_and_domain] (0x0400): Trying to find user dlavu@sssd2012.com
(Mon Aug 17 12:22:03:883168 2015) [sssd] [get_object_dn_and_domain] (0x0400): Domain of user dlavu is sssd2012.com
(Mon Aug 17 12:22:03:883186 2015) [sssd] [prepare_view] (0x0400): Creating LOCAL view.
SSSD needs to be restarted for the changes to take effect.

Additional info:

Comment 2 Jakub Hrozek 2015-08-17 12:39:50 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2757

Comment 3 Jakub Hrozek 2015-08-19 22:11:19 UTC
Patch acked upstream, acking for RHEL

Comment 4 Jakub Hrozek 2015-08-20 20:42:10 UTC
* master: 7eba58cfcf78e61af1c4ff98619aa97223eb7a5b

Comment 6 Dan Lavu 2015-09-02 17:15:52 UTC
This is working in sssd-client-1.13.0-24.el7.x86_64 , however the override id doesn't return using getent.

[root@rhel72 ~]# sss_override user-add dlavu@sssd2012.com  -n dlavu1@sssd2012.com 
SSSD needs to be restarted for the changes to take effect.

[root@rhel72 ~]# service sssd restart
Redirecting to /bin/systemctl restart  sssd.service

[root@rhel72 ~]# getent passwd dlavu1

[root@rhel72 ~]# getent passwd dlavu1@sssd2012.com

[root@rhel72 ~]# getent passwd dlavu@sssd2012.com
dlavu1@sssd2012.com@sssd2012.com:*:349001105:349000513:Dan Lavu:/home/dlavu1@sssd2012.com:/bin/bash

Comment 7 Jakub Hrozek 2015-09-02 19:14:01 UTC
I would suggest to try looking at the logs if dlavu1 was maybe already negatively cached from previous test runs. If not, then please file a new bug.

Thank you very much for testing!

Comment 8 Dan Lavu 2015-09-02 20:34:03 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=1259512 - Filed.

Comment 9 Dan Lavu 2015-09-21 10:13:36 UTC
Verified, testing against sssd-1.13.0-26.el7.x86_64.

####################################

[root@test ~]# sss_override user-add -n dlavu1@sssd2012.com dlavu@sssd2012.com
SSSD needs to be restarted for the changes to take effect.

[root@test ~]# service sssd restart

####################################

[sssd]
domains = sssd2012.com
config_file_version = 2
services = nss, pam

[domain/sssd2012.com]
ad_domain = sssd2012.com
krb5_realm = SSSD2012.COM
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

####################################

Comment 10 errata-xmlrpc 2015-11-19 11:39:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html


Note You need to log in before you can comment on or make changes to this bug.