Bug 1327272 - local overrides: issues with sub-domain users and mixed case names
Summary: local overrides: issues with sub-domain users and mixed case names
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.8
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Steeve Goveas
Marc Muehlfeld
URL:
Whiteboard:
Depends On: 1327270
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-14 15:58 UTC by Jakub Hrozek
Modified: 2017-03-21 09:55 UTC (History)
10 users (show)

Fixed In Version: sssd-1.13.3-36.el6
Doc Type: Bug Fix
Doc Text:
SSSD correctly creates local overrides in an AD environment Previously, the `sss_override` utility created case-insensitive distinguished names (DNs) when the `id_provider` option was set to `ad` in the `/etc/sssd/sssd.conf` file. However, the DNs in the SSSD cache are stored as case-sensitive. As a consequence, local overrides were not created for users from the Active Directory (AD) subdomain and for users with mixed-case account names. With this update, SSSD searches the object in the cache and uses the DN from the search result. This fixes the problem in the mentioned situation.
Clone Of: 1327270
Environment:
Last Closed: 2017-03-21 09:55:38 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0632 normal SHIPPED_LIVE sssd bug fix and enhancement update 2017-03-21 12:30:13 UTC

Description Jakub Hrozek 2016-04-14 15:58:47 UTC
+++ This bug was initially created as a clone of Bug #1327270 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2989

Currently there is an issue to create local overrides for some users when the AD provider is used. First it is not possible to create overrides for users from sub-domains. Second, it is not possible to create overrides for users with mixed-case names like e.g. 'Administrator', please note that the AD provider uses 'case_sensitive = False'

Comment 2 Jakub Hrozek 2016-04-14 16:01:15 UTC
 master:
    32dd0dd34193a7566d83adf6845f5194decc3304
    e45096aead1d2e2b8f8b2b386b420c5f62ad07d3
    3a8b5ccf7c27b72054e1d8b3ab355cb1e28efda9
    e6e2d1575ac7feb3494649f94ef51ef13cbdce48 
 sssd-1-13:
    279a9cd4e56522590f844a3ddde2235098065133
    baadb2467521b4da61e9c205d9549c750fad3eae
    a6c3abd6b9b23477ad6008852371937d16679778
    f3f312492a925e2efe1457a7cb8ab5b459eaef68

Comment 10 Niranjan Mallapadi Raghavender 2016-12-20 17:49:16 UTC
Versions:
========
Reproducer:

sssd-ldap-1.13.3-22.el6.x86_64
python-sssdconfig-1.13.3-22.el6.noarch
sssd-client-1.13.3-22.el6.x86_64
sssd-common-1.13.3-22.el6.x86_64
sssd-proxy-1.13.3-22.el6.x86_64
sssd-krb5-common-1.13.3-22.el6.x86_64
sssd-ipa-1.13.3-22.el6.x86_64
sssd-krb5-1.13.3-22.el6.x86_64
sssd-common-pac-1.13.3-22.el6.x86_64
sssd-ad-1.13.3-22.el6.x86_64
sssd-1.13.3-22.el6.x86_64
sssd-tools-1.13.3-22.el6.x86_64


AD Configurations
================

JUNO.TEST (parent domain controller)
JUPITER.JUNO.TEST (subdomain controller)



1. Override a AD user from parent domain

[root@hulk ~]# id idmfoo1@juno.test
uid=842004188(idmfoo1@juno.test) gid=842000513(domain users@juno.test) groups=842000513(domain users@juno.test),842004189(users@juno.test)

2. Set local unix id 5679
[root@hulk ~]# sss_override user-add idmfoo1@juno.test -u 5678

[root@hulk ~]# service sssd restart
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]

[root@hulk ~]# id idmfoo1@juno.test

[root@hulk ~]# id idmfoo1@juno.test
uid=5678(idmfoo1@juno.test) gid=842000513(domain users@juno.test) groups=842000513(domain users@juno.test),842004189(users@juno.test)


3. Override and AD user from sub domain JUPITER.JUNO.TEST

[root@hulk ~]# id idmjuno1@jupiter.juno.test
uid=725801105(idmjuno1@jupiter.juno.test) gid=725801105(idmjuno1@jupiter.juno.test) groups=725801105(idmjuno1@jupiter.juno.test),725800513

[root@hulk ~]# sss_override user-add idmjuno1@jupiter.juno.test -u 7890 
[root@hulk ~]# service sssd restart
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]


[root@hulk ~]# id idmjuno1@jupiter.juno.test
uid=725801105(idmjuno1@jupiter.juno.test) gid=725801105(idmjuno1@jupiter.juno.test) groups=725801105(idmjuno1@jupiter.juno.test),725800513


4. Create a Mixed case username and override

[root@hulk ~]# id IdmFooBar@juno.test
uid=842004189(idmfoobar@juno.test) gid=842000513(domain users@juno.test) groups=842000513(domain users@juno.test),842004189(users@juno.test)

[root@hulk db]#  sss_override user-add IdmFooBar@juno.test -u 7890
SSSD needs to be restarted for the changes to take effect.


[root@hulk db]#  sss_override user-add IdmFooBar@juno.test -u 7890
SSSD needs to be restarted for the changes to take effect.
[root@hulk db]# service sssd restart
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]

[root@hulk db]# id IdmFooBar@juno.test
uid=7890(idmfoobar@juno.test) gid=842000513(domain users@juno.test) groups=842000513(domain users@juno.test)

[root@hulk db]# id idmfoobar@juno.test
uid=7890(idmfoobar@juno.test) gid=842000513(domain users@juno.test) groups=842000513(domain users@juno.test)

[root@hulk db]#  sss_override user-add IdmFooBar@juno.test -u 9870
[root@hulk db]# service sssd restart
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]

[root@hulk db]# id idmfoobar@juno.test
uid=9870(idmfoobar@juno.test) gid=842000513(domain users@juno.test) groups=842000513(domain users@juno.test)


5. Update sssd 
[root@hulk packages]# rpm -qa | grep sssd
python-sssdconfig-1.13.3-54.el6.noarch
sssd-krb5-common-1.13.3-54.el6.x86_64
sssd-krb5-1.13.3-54.el6.x86_64
sssd-tools-1.13.3-54.el6.x86_64
sssd-common-1.13.3-54.el6.x86_64
sssd-common-pac-1.13.3-54.el6.x86_64
sssd-ad-1.13.3-54.el6.x86_64
sssd-ldap-1.13.3-54.el6.x86_64
sssd-1.13.3-54.el6.x86_64
sssd-client-1.13.3-54.el6.x86_64
sssd-ipa-1.13.3-54.el6.x86_64
sssd-proxy-1.13.3-54.el6.x86_64
[root@hulk packages]# 

6. Verify able to override subdomains


[root@hulk packages]# id idmjuno1@jupiter.juno.test
uid=725801105(idmjuno1@jupiter.juno.test) gid=725801105(idmjuno1@jupiter.juno.test) groups=725801105(idmjuno1@jupiter.juno.test),725800513

[root@hulk packages]# sss_override user-add idmjuno1@jupiter.juno.test -u 7890
[root@hulk packages]# service sssd restart
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[root@hulk packages]# id idmjuno1@jupiter.juno.test
uid=7890(idmjuno1@jupiter.juno.test) gid=725801105(idmjuno1@jupiter.juno.test) groups=725801105(idmjuno1@jupiter.juno.test),725800513

Comment 11 Niranjan Mallapadi Raghavender 2016-12-20 17:50:09 UTC
[root@hulk packages]# cat /etc/sssd/sssd.conf 
[sssd]
config_file_version = 2
domains = juno.test
services = nss, pam
case_sensitive = true

[domain/juno.test]
id_provider = ad
auth_provider = ad
access_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
use_fully_qualified_names = True
debug_level = 9
enumerate = true

Comment 12 Niranjan Mallapadi Raghavender 2016-12-20 17:53:46 UTC
With regard to Mixed usernames, i could not reproduce the issue as you can see in step4- comment #10. 

So is there any specific usecase or the steps that can be provided to reproduce the issue and see if the updated package fixes the issue.

Comment 13 Jakub Hrozek 2016-12-20 20:14:45 UTC
(In reply to Niranjan Mallapadi Raghavender from comment #12)
> With regard to Mixed usernames, i could not reproduce the issue as you can
> see in step4- comment #10. 
> 
> So is there any specific usecase or the steps that can be provided to
> reproduce the issue and see if the updated package fixes the issue.

Dan already verified this bug in RHEL-7. See his reproducer in https://bugzilla.redhat.com/show_bug.cgi?id=1327270#c4

Comment 14 Niranjan Mallapadi Raghavender 2016-12-21 06:38:01 UTC
Thanks for the update. Below are the commands to override name 
[root@hulk packages]# sss_override  user-add -n  AdminChild Administrator@jupiter.juno.test
[root@hulk packages]# service sssd restart
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[root@hulk packages]# id AdminChild@jupiter.juno.test
uid=725800500(adminchild@jupiter.juno.test) gid=725800500(adminchild@jupiter.juno.test) groups=725800500(adminchild@jupiter.juno.test),725800513

[root@hulk packages]# id adminchild@jupiter.juno.test
uid=725800500(adminchild@jupiter.juno.test) gid=725800500(adminchild@jupiter.juno.test) groups=725800500(adminchild@jupiter.juno.test),725800513

Comment 16 errata-xmlrpc 2017-03-21 09:55:38 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0632.html


Note You need to log in before you can comment on or make changes to this bug.