Bug 1487040 - sssd does not evaluate AD UPN suffixes which results in failed user logins
Summary: sssd does not evaluate AD UPN suffixes which results in failed user logins
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.9
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: ipa-qe
: 1489125 (view as bug list)
Depends On:
Blocks: 1461138 1504542
TreeView+ depends on / blocked
Reported: 2017-08-31 06:28 UTC by Abhinay Reddy Peddireddy
Modified: 2021-12-10 15:14 UTC (History)
18 users (show)

Fixed In Version: sssd-1.13.3-59.el6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-06-19 05:13:47 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4531 0 None closed Backport 9b8fcf685c5ca70a5067a621385bcdc8d9fd6469 which fixes UPN login issues to sssd-1-13 2020-08-14 19:30:21 UTC
Red Hat Product Errata RHSA-2018:1877 0 None None None 2018-06-19 05:15:04 UTC

Description Abhinay Reddy Peddireddy 2017-08-31 06:28:38 UTC
Description of problem:

Request to implement this same feature of allowing logins to AD users which have UPN principals as described here (https://bugzilla.redhat.com/show_bug.cgi?id=1441077) for RHEL 6.9 IPA clients.  

Version-Release number of selected component (if applicable):


Comment 2 Jakub Hrozek 2017-08-31 19:20:06 UTC
We believe this was fixed with upstream commit 9b8fcf685c5ca70a5067a621385bcdc8d9fd6469 therefore I'm marking the bug as POST and I'll provide test builds soon.

Comment 6 Jakub Hrozek 2017-10-11 14:11:39 UTC
Upstream ticket:

Comment 7 Lukas Slebodnik 2017-10-13 08:34:52 UTC
* 3542fe821765cad1f25f6c2a077b55fc1d7d0553
* 7f95edc43d9fc410aab5712552e17f28932ba344
* 07db882d99e2036be94dd305ba50587733b5f3a1
* 6b55915c3939da6e2474633d79783f838627a4b1

Comment 13 Martin Kosek 2017-11-30 11:33:03 UTC
*** Bug 1489125 has been marked as a duplicate of this bug. ***

Comment 23 Jakub Hrozek 2018-02-14 16:58:02 UTC
PR with the additional patches: https://github.com/SSSD/sssd/pull/514

Comment 24 Jakub Hrozek 2018-02-14 16:58:41 UTC
I'm also switching the bug back to ASSIGNED to make it clear additional patches must be merged.

Comment 25 Lukas Slebodnik 2018-02-23 08:59:49 UTC
* 99afca8926fb211774de457e750dea27da8ac3a9
* 42dbd7ee691ffef8b136fc310128aadfd91fd70c
* f6afb6f9418735bcfd125eb2bb2ffeeb5cc07d99

Comment 28 anuja 2018-03-20 07:48:13 UTC
Verified using:

master :  (7.5)

client :  (6.10)

[root@master ~]# ipa trust-find
1 trust matched
  Realm name: ipaad2016.test
  Domain NetBIOS name: IPAAD2016
  Domain Security Identifier: S-1-5-21-813110839-3732285123-1597101681
  Trust type: Active Directory domain
  UPN suffixes: upn14.in, tomupn14.in, upn2016.in, newad2016.test
Number of entries returned 1

[root@master ~]# id aduser10
uid=1577602635(aduser10) gid=1577602635(aduser10) groups=1577602635(aduser10),1577600513(domain users)

[root@client~]# ssh -l aduser10 master.tomupn14.test
Could not chdir to home directory /home/ipaad2016.test/aduser10: No such file or directory
-sh-4.2$ whoami 
-sh-4.2$ id
uid=1577602635(aduser10) gid=1577602635(aduser10) groups=1577602635(aduser10),1577600513(domain users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@client ~]# kinit -E aduser10
Password for aduser10\@tomupn14.in: 
[root@client ~]# klist -l
Principal name                 Cache name
--------------                 ----------
aduser10\@tomupn14.in@IPAAD201 FILE:/tmp/krb5cc_0

Comment 35 errata-xmlrpc 2018-06-19 05:13:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.