1959364 – <sssd> getent passwd /id cannot return users information with shortnames

Bug 1959364 - <sssd> getent passwd /id cannot return users information with shortnames

Summary: <sssd> getent passwd /id cannot return users information with shortnames

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.9
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Sumit Bose
QA Contact:	sssd-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-05-11 11:33 UTC by terry ji
Modified:	2023-06-28 07:25 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-01-13 14:41:17 UTC
Target Upstream Version:
Embargoed:
Flags:	cat3062485: needinfo-

Attachments	(Terms of Use)
deployment-script (7.66 KB, text/plain) 2021-05-11 11:33 UTC, terry ji	no flags	Details
sssd logs with debug_level = 8 (76.66 KB, application/gzip) 2021-05-11 11:34 UTC, terry ji	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 5626	0	None	open	<sssd> getent passwd /id cannot return users information with shortnames.	2021-11-09 07:47:05 UTC

Description terry ji 2021-05-11 11:33:34 UTC

Created attachment 1781991 [details]
deployment-script

Created attachment 1781991 [details]
deployment-script

# Topology
```
       /\                                                      /\
      /  \                                                    /  \
     /    \                                                  /    \
    /      \                                                /      \
   /        \     One way cross forest transitive trust    /        \
  /          \ <----------------------------------------- /          \
 /EXAMPLE.COM\                                           /MYDOMAIN.COM\
/______________\                                        /______________\
   \                                                           |
    \                                                           |
     \                                                          |
      \       One way cross forest transitive trust +-----------------------+
      /\   <-----------------------------------     | RHEL7.9 joined        |
     /  \                                           | to the above domain   |
    /CHILD\                                          +-----------------------+
   /______\    
1. RHEL7.9 uses realm join MYDOMAIN.COM
2. And uses adcli join CHILD.EXAMPLE.COM
3. MYDOMAIN.COM has a one way: outgoing trust to EXAMPLE.COM and CHILD.EXAMPLE.COM     
```

# Issues
1. I uses following script to add a RHEL7 client to AD
[ad-sssd-rhel7-v2.txt](https://github.com/SSSD/sssd/files/6458299/ad-sssd-rhel7-v2.txt)

2. sssd version is:
```
[root@ip-172-31-7-69 ~]# rpm -qa | grep sssd
python-sssdconfig-1.16.5-10.el7_9.7.noarch
sssd-client-1.16.5-10.el7_9.7.x86_64
sssd-krb5-common-1.16.5-10.el7_9.7.x86_64
sssd-ipa-1.16.5-10.el7_9.7.x86_64
sssd-krb5-1.16.5-10.el7_9.7.x86_64
sssd-proxy-1.16.5-10.el7_9.7.x86_64
sssd-common-1.16.5-10.el7_9.7.x86_64
sssd-common-pac-1.16.5-10.el7_9.7.x86_64
sssd-ad-1.16.5-10.el7_9.7.x86_64
sssd-ldap-1.16.5-10.el7_9.7.x86_64
sssd-1.16.5-10.el7_9.7.x86_64
```

3. user `terry-child` is from domain CHILD.EXAMPLE.COM; `terry-example` is from domain EXAMPLE.COM and `admin` is from domain MYDOMAIN.COM. Only id terry-child and admin can return correct information.
```
[root@ip-172-31-7-69 ~]# id admin
uid=704201113(admin) gid=704200513(domain users) groups=704200513(domain users)
[root@ip-172-31-7-69 ~]# id terry-child
uid=1872601114(terry-child) gid=1872600513(domain users) groups=1872600513(domain users)
```

4. id terry-example will return `no such user` unless I use fully qualified user name
```
[root@ip-172-31-7-69 ~]# id terry-example
id: terry-example: no such user
[root@ip-172-31-7-69 ~]# id terry-example
uid=1952601113(terry-example) gid=1952601113(terry-example) groups=1952601113(terry-example),1952600513(domain users)
```

5. Both uid and gid will be mapped to `terry-example`, but the users from the domain the linux client joined directly will be mapped to terry-child and domain users. 
```
[root@ip-172-31-7-69 ~]# ll /home/
total 0
drwx------. 2 terry-child               domain users              83 May 11 10:22 terry-child
drwx------. 2 terry-example terry-example 83 May 11 09:07 terry-example
```

# Action Require

1. id/getent passwd shortname of a user from trusted subdomain returns correct information
2. uid and gid should be mapped the shortnames of a user

# sssd logs
[sssd.tar.gz](https://github.com/SSSD/sssd/files/6458827/sssd.tar.gz)

Comment 2 terry ji 2021-05-11 11:34:53 UTC

Created attachment 1781992 [details]
sssd logs with debug_level = 8

Comment 3 Sumit Bose 2021-11-23 09:18:53 UTC

Hi,

please see my comment in https://github.com/SSSD/sssd/issues/5626. Let's continue there for the time being.

bye,
Sumit

Note You need to log in before you can comment on or make changes to this bug.