Bug 1487040 - sssd does not evaluate AD UPN suffixes which results in failed user logins
Summary: sssd does not evaluate AD UPN suffixes which results in failed user logins
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.9
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
: 1489125 (view as bug list)
Depends On:
Blocks: 1461138 1504542
TreeView+ depends on / blocked
 
Reported: 2017-08-31 06:28 UTC by Abhinay Reddy Peddireddy
Modified: 2018-08-31 16:32 UTC (History)
18 users (show)

Fixed In Version: sssd-1.13.3-59.el6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-19 05:13:47 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1877 None None None 2018-06-19 05:15:04 UTC

Description Abhinay Reddy Peddireddy 2017-08-31 06:28:38 UTC
Description of problem:

Request to implement this same feature of allowing logins to AD users which have UPN principals as described here (https://bugzilla.redhat.com/show_bug.cgi?id=1441077) for RHEL 6.9 IPA clients.  


Version-Release number of selected component (if applicable):

sssd-1.13.3-57.el6_9.x86_64.rpm

Comment 2 Jakub Hrozek 2017-08-31 19:20:06 UTC
We believe this was fixed with upstream commit 9b8fcf685c5ca70a5067a621385bcdc8d9fd6469 therefore I'm marking the bug as POST and I'll provide test builds soon.

Comment 6 Jakub Hrozek 2017-10-11 14:11:39 UTC
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3505

Comment 7 Lukas Slebodnik 2017-10-13 08:34:52 UTC
sssd-1-13:
* 3542fe821765cad1f25f6c2a077b55fc1d7d0553
* 7f95edc43d9fc410aab5712552e17f28932ba344
* 07db882d99e2036be94dd305ba50587733b5f3a1
* 6b55915c3939da6e2474633d79783f838627a4b1

Comment 13 Martin Kosek 2017-11-30 11:33:03 UTC
*** Bug 1489125 has been marked as a duplicate of this bug. ***

Comment 23 Jakub Hrozek 2018-02-14 16:58:02 UTC
PR with the additional patches: https://github.com/SSSD/sssd/pull/514

Comment 24 Jakub Hrozek 2018-02-14 16:58:41 UTC
I'm also switching the bug back to ASSIGNED to make it clear additional patches must be merged.

Comment 25 Lukas Slebodnik 2018-02-23 08:59:49 UTC
sssd-1-13:
* 99afca8926fb211774de457e750dea27da8ac3a9
* 42dbd7ee691ffef8b136fc310128aadfd91fd70c
* f6afb6f9418735bcfd125eb2bb2ffeeb5cc07d99

Comment 28 anuja 2018-03-20 07:48:13 UTC
Verified using:

master :  (7.5)
----------------------------
sssd-1.16.0-19.el7.x86_64
ipa-server-4.5.4-10.el7.x86_64
pki-ca-10.5.1-9.el7.noarch
krb5-server-1.15.1-18.el7.x86_64

client :  (6.10)
----------------------------
ipa-client-3.0.0-51.el6.x86_64
ipa-python-3.0.0-51.el6.x86_64
sssd-1.13.3-60.el6.x86_64

[root@master ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: ipaad2016.test
  Domain NetBIOS name: IPAAD2016
  Domain Security Identifier: S-1-5-21-813110839-3732285123-1597101681
  Trust type: Active Directory domain
  UPN suffixes: upn14.in, tomupn14.in, upn2016.in, newad2016.test
----------------------------
Number of entries returned 1
----------------------------

[root@master ~]# id aduser10@tomupn14.in
uid=1577602635(aduser10@ipaad2016.test) gid=1577602635(aduser10@ipaad2016.test) groups=1577602635(aduser10@ipaad2016.test),1577600513(domain users@ipaad2016.test)

[root@client~]# ssh -l aduser10@tomupn14.in master.tomupn14.test
Password: 
Could not chdir to home directory /home/ipaad2016.test/aduser10: No such file or directory
-sh-4.2$ whoami 
aduser10@ipaad2016.test
-sh-4.2$ id
uid=1577602635(aduser10@ipaad2016.test) gid=1577602635(aduser10@ipaad2016.test) groups=1577602635(aduser10@ipaad2016.test),1577600513(domain users@ipaad2016.test) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@client ~]# kinit -E aduser10@tomupn14.in
Password for aduser10\@tomupn14.in@TOMUPN14.TEST: 
[root@client ~]# klist -l
Principal name                 Cache name
--------------                 ----------
aduser10\@tomupn14.in@IPAAD201 FILE:/tmp/krb5cc_0

Comment 35 errata-xmlrpc 2018-06-19 05:13:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1877


Note You need to log in before you can comment on or make changes to this bug.