Bug 1254184 - sss_override does not work correctly when 'use_fully_qualified_names = True'
sss_override does not work correctly when 'use_fully_qualified_names = True'
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.2
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Pavel Březina
Kaushik Banerjee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-17 07:45 EDT by Dan Lavu
Modified: 2015-11-19 06:39 EST (History)
9 users (show)

See Also:
Fixed In Version: sssd-1.13.0-24.el7
Doc Type: Bug Fix
Doc Text:
Cause: Domain has use_fully_qualified_names set to true and then sss_override tool is unable to find user or group. Consequence: Local overrides can not be created. Fix: sss_override correctly finds user and groups even when fully qualified name is required. Result: Local overrides can be created.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 06:39:53 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2355 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2015-11-19 05:27:42 EST

  None (edit)
Description Dan Lavu 2015-08-17 07:45:01 EDT
Description of problem:

sss_override does not work correctly when use_fully_qualified_names = True 

Version-Release number of selected component (if applicable):
sssd-tools-1.13.0-11.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
Try to add an override user when 'use_fully_qualified_names = True', for example 'sss_override user-add dlavu@sssd2012.com -n dlavu1@sssd2012.com'

Actual results:

[root@rhel72beta db]# sss_override user-add dlavu@sssd2012.com -n dlavu1@sssd2012.com --debug 0x3ff0
(Mon Aug 17 12:25:31:014019 2015) [sssd] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
(Mon Aug 17 12:25:31:014114 2015) [sssd] [confdb_get_domain_internal] (0x0400): No enumeration for [sssd2012.com]!
(Mon Aug 17 12:25:31:014149 2015) [sssd] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1
(Mon Aug 17 12:25:31:014171 2015) [sssd] [sysdb_domain_init_internal] (0x0200): DB File for sssd2012.com: /var/lib/sss/db/cache_sssd2012.com.ldb
(Mon Aug 17 12:25:31:014223 2015) [sssd] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Mon Aug 17 12:25:31:014318 2015) [sssd] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(Mon Aug 17 12:25:31:014324 2015) [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Mon Aug 17 12:25:31:014380 2015) [sssd] [sss_parse_name_for_domains] (0x0200): name 'dlavu@sssd2012.com' matched expression for domain 'sssd2012.com', user is dlavu
Unable to find user dlavu@sssd2012.com.

Expected results:
[root@rhel72beta db]# sss_override user-add dlavu@sssd2012.com -n dlavu1@sssd2012.com --debug 0x3ff0
(Mon Aug 17 12:22:03:866318 2015) [sssd] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
(Mon Aug 17 12:22:03:866410 2015) [sssd] [confdb_get_domain_internal] (0x0400): No enumeration for [sssd2012.com]!
(Mon Aug 17 12:22:03:866435 2015) [sssd] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1
(Mon Aug 17 12:22:03:866456 2015) [sssd] [sysdb_domain_init_internal] (0x0200): DB File for sssd2012.com: /var/lib/sss/db/cache_sssd2012.com.ldb
(Mon Aug 17 12:22:03:866504 2015) [sssd] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Mon Aug 17 12:22:03:866595 2015) [sssd] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(Mon Aug 17 12:22:03:866601 2015) [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Mon Aug 17 12:22:03:866657 2015) [sssd] [sss_parse_name_for_domains] (0x0200): name 'dlavu@sssd2012.com' matched expression for domain 'sssd2012.com', user is dlavu
(Mon Aug 17 12:22:03:883083 2015) [sssd] [get_object_dn_and_domain] (0x0400): Trying to find user dlavu@sssd2012.com
(Mon Aug 17 12:22:03:883168 2015) [sssd] [get_object_dn_and_domain] (0x0400): Domain of user dlavu is sssd2012.com
(Mon Aug 17 12:22:03:883186 2015) [sssd] [prepare_view] (0x0400): Creating LOCAL view.
SSSD needs to be restarted for the changes to take effect.

Additional info:
Comment 2 Jakub Hrozek 2015-08-17 08:39:50 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2757
Comment 3 Jakub Hrozek 2015-08-19 18:11:19 EDT
Patch acked upstream, acking for RHEL
Comment 4 Jakub Hrozek 2015-08-20 16:42:10 EDT
* master: 7eba58cfcf78e61af1c4ff98619aa97223eb7a5b
Comment 6 Dan Lavu 2015-09-02 13:15:52 EDT
This is working in sssd-client-1.13.0-24.el7.x86_64 , however the override id doesn't return using getent.

[root@rhel72 ~]# sss_override user-add dlavu@sssd2012.com  -n dlavu1@sssd2012.com 
SSSD needs to be restarted for the changes to take effect.

[root@rhel72 ~]# service sssd restart
Redirecting to /bin/systemctl restart  sssd.service

[root@rhel72 ~]# getent passwd dlavu1

[root@rhel72 ~]# getent passwd dlavu1@sssd2012.com

[root@rhel72 ~]# getent passwd dlavu@sssd2012.com
dlavu1@sssd2012.com@sssd2012.com:*:349001105:349000513:Dan Lavu:/home/dlavu1@sssd2012.com:/bin/bash
Comment 7 Jakub Hrozek 2015-09-02 15:14:01 EDT
I would suggest to try looking at the logs if dlavu1 was maybe already negatively cached from previous test runs. If not, then please file a new bug.

Thank you very much for testing!
Comment 8 Dan Lavu 2015-09-02 16:34:03 EDT
https://bugzilla.redhat.com/show_bug.cgi?id=1259512 - Filed.
Comment 9 Dan Lavu 2015-09-21 06:13:36 EDT
Verified, testing against sssd-1.13.0-26.el7.x86_64.

####################################

[root@test ~]# sss_override user-add -n dlavu1@sssd2012.com dlavu@sssd2012.com
SSSD needs to be restarted for the changes to take effect.

[root@test ~]# service sssd restart

####################################

[sssd]
domains = sssd2012.com
config_file_version = 2
services = nss, pam

[domain/sssd2012.com]
ad_domain = sssd2012.com
krb5_realm = SSSD2012.COM
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

####################################
Comment 10 errata-xmlrpc 2015-11-19 06:39:53 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html

Note You need to log in before you can comment on or make changes to this bug.