Description of problem: The ipa-extdom-extop plugin has just one method for resolving group names and user name '@' character is used for detecting user principal name which may have alternative suffixes. Username (the short part before @) can't contain '@' but group name can. This shared logic doesn't work for groups like my@group. Protocol for SSSD<->ipa-extdom-extop communication protocol has to be extended to add separated calls for user and group resolution. This change will also improve the response time in groupname resolution because the original call tries resolve the name as username and when it fails it tries to resolve it as groupname.
Fixed upstream: master: https://github.com/freeipa/freeipa/commit/e5f04258b5b3fb6c04c28ddd38ae251c822e80bc https://github.com/freeipa/freeipa/commit/5f898c3c614f4165f0eb15c3aad2157689fbbcfe https://github.com/freeipa/freeipa/commit/84b6c0f53b9ebdd4c01181898499bb6992aa9e8a https://github.com/freeipa/freeipa/commit/bddf64b9da2df21a14022109ae989bd5408bf14b ipa-4-8: https://github.com/freeipa/freeipa/commit/51723c73f48098ee123a3216fb577194555f0a3f https://github.com/freeipa/freeipa/commit/9253c18b1d199cc723ddb9b1c4b41a35b6861234 https://github.com/freeipa/freeipa/commit/d8a6b21d7ee6b91e60c45da4c9668d22ca9d0c6e https://github.com/freeipa/freeipa/commit/13a37fb43f4c43f4eea5aa6650bf7488d85675e7 ipa-4-7: https://github.com/freeipa/freeipa/commit/2e8a2a564a46a2a4f04236e08dda26d6126135ea https://github.com/freeipa/freeipa/commit/b442b82b4a4c80b9e7992b33eb008f4f0dea44e2 https://github.com/freeipa/freeipa/commit/5340a03e30d37015777eafb58d7f36fc3d81c5eb https://github.com/freeipa/freeipa/commit/f8b070587c5c2779b6b76237d1c712a0947f9438 ipa-4-6: https://github.com/freeipa/freeipa/commit/b182a96226de46b6d194fb924b7374d923c14733 https://github.com/freeipa/freeipa/commit/20612db06516ec59922827e16f5226d21815751a https://github.com/freeipa/freeipa/commit/0a1ad84adfedc141fbbaece3a7dee1ade69c1fdc https://github.com/freeipa/freeipa/commit/9a140cdc269bbde9e9ebb99d9cd8c643a94afb6c
Test added upstream master: https://pagure.io/freeipa/c/4f09416f2f01cee03213f7d5186fe1a7104e6d66 https://pagure.io/freeipa/c/0a4bec2a1f2a1fbf6b6b05a5cdbdf5bf08d66344
Test added upstream ipa-4-8: https://pagure.io/freeipa/c/2d0da2f9aff2e6256ae9f43838ca24335381e7e8 https://pagure.io/freeipa/c/985c99fc7ad6fdd30d428d099e006b1a0836a87d
Test added upstream ipa-4-7: https://pagure.io/freeipa/c/9a0f6cb2582e265a5d1bb87aaff6049ccd5a5b35 https://pagure.io/freeipa/c/b0ad2c432362e88764bb11e14cc852c2616fd952
Test added upstream: ipa-4-6: https://pagure.io/freeipa/c/a736449a217dc38e98054e8018fe7c7fd11f54be https://pagure.io/freeipa/c/2e4e1b37a71d7a9d8bd834fefcc241eaac19e1e7
Test verified using existing automation: test_integration/test_sssd.py::TestSSSDWithAdTrust::test_extdom_group Using version: ipa-server-4.8.4-6.module+el8.2.0+5773+68ace8c5.x86_64 ipa-client-4.8.4-6.module+el8.2.0+5774+71f22ff9.x86_64 Test log: ===================================================== test session starts ===================================================== platform linux -- Python 3.6.8, pytest-3.4.2, py-1.5.3, pluggy-0.6.0 -- /usr/libexec/platform-python cachedir: .pytest_cache metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-179.el8.x86_64-x86_64-with-redhat-8.2-Ootpa', 'Packages': {'pytest': '3.4.2', 'py': '1.5.3', 'pluggy': '0.6.0'}, 'Plugins': {'metadata': '1.8.0', 'html': '1.22.1', 'sourceorder': '0.5', 'multihost': '3.0'}} rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile: plugins: metadata-1.8.0, html-1.22.1, sourceorder-0.5, multihost-3.0 collected 10 items test_integration/test_sssd.py::TestSSSDWithAdTrust::test_auth_cache_disabled_by_default[ipa] PASSED [ 10%] test_integration/test_sssd.py::TestSSSDWithAdTrust::test_auth_cache_disabled_by_default[ad] PASSED [ 20%] test_integration/test_sssd.py::TestSSSDWithAdTrust::test_auth_cache_disabled_with_value_0[ipa] PASSED [ 30%] test_integration/test_sssd.py::TestSSSDWithAdTrust::test_auth_cache_disabled_with_value_0[ad] PASSED [ 40%] test_integration/test_sssd.py::TestSSSDWithAdTrust::test_auth_cache_enabled_when_configured[ipa] PASSED [ 50%] test_integration/test_sssd.py::TestSSSDWithAdTrust::test_auth_cache_enabled_when_configured[ad] PASSED [ 60%] test_integration/test_sssd.py::TestSSSDWithAdTrust::test_is_user_filtered[ad] PASSED [ 70%] test_integration/test_sssd.py::TestSSSDWithAdTrust::test_is_user_filtered[fakeuser] PASSED [ 80%] test_integration/test_sssd.py::TestSSSDWithAdTrust::test_extdom_group PASSED [ 90%] test_integration/test_sssd.py::TestSSSDWithAdTrust::test_external_group_paging PASSED [100%] --------------------------- generated xml file: /usr/lib/python3.6/site-packages/ipatests/junit.xml --------------------------- ================================================ 10 passed in 1024.88 seconds ================================================= [root@runner ipatests]# Based on this marking bz as verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:1640