## Description of problem ## Trusted AD user information cannot be retrieved from IPA clients if trusted user name contains upper/mixed case characters and is configured with overrides. IDM server is able to see the user running the same pkg release. Operation returns: ~~~ (2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_get_list_next] (0x0040): [RID#2] s2n exop request failed. (2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_get_list_done] (0x0040): [RID#2] s2n get_fqlist request failed. ~~~ ## Version-Release number of selected component (if applicable) ## sssd-2.7.3-4.el8_7.3.x86_64 ## How reproducible ## Always ## Steps to Reproduce ## 1. Deploy a user in AD with uppercase/mixed chars name (e.g., Con81001) 2. Configure a override for this user in IPA (sshPublicKey) 3. Perform user lookup or authentication attempt ## Actual results ## id: ‘con81001.com’: no such user ## Expected results ## uid=645601103(con81001.com) gid=645601103(con81001.com) groups=645601103(con81001.com) ## Additional info ## Request from client fails with: ~~~ (2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_get_list_step] (0x0400): [RID#2] Sending request_type: [REQ_FULL_WITH_MEMBERS] for object [con81001.com]. (2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_exop_send] (0x0400): [RID#2] Executing extended operation (2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_exop_send] (0x2000): [RID#2] ldap_extended_operation sent, msgid = 17 -- snip -- (2023-04-20 16:16:27): [be[ipa.example.com]] [sdap_call_op_callback] (0x20000): [RID#2] Handling LDAP operation [17][server: [172.20.90.211:389] IPA EXOP] took [207.742] milliseconds. (2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_exop_done] (0x0040): [RID#2] ldap_extended_operation result: No such object(32), (null). (2023-04-20 16:16:27): [be[ipa.example.com]] [sdap_op_destructor] (0x2000): [RID#2] Operation 17 finished (2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_get_list_next] (0x0040): [RID#2] s2n exop request failed. (2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_get_list_done] (0x0040): [RID#2] s2n get_fqlist request failed. (2023-04-20 16:16:27): [be[ipa.example.com]] [sdap_id_op_done] (0x4000): [RID#2] releasing operation connection ~~~
Hi, the issue boils down to lookup up the user-private group of an AD user with a mixed-case (or only upper-case) name in AD which has an idoverride which does not override the name on the IPA server. How to reproduce: - setup IPA with trust to an AD forest with idrage type 'ipa-ad-trust' - create an idoverride with a ssh key for the Administrator user, which by default has a mixed-case name: ipa idoverrideuser-add 'Default Trust View' Administrator --sshpubkey=AAAAB..... - lookup the user-private group of the Administrator on the IPA server: getent group administrator - without a fix the lookup will fail The reason is a case-sensitive comparison in sysdb_getgrnam() in the check if the input name was the original AD group name or an overwritten one. bye, Sumit
Upstream PR: https://github.com/SSSD/sssd/pull/6721
Pushed PR: https://github.com/SSSD/sssd/pull/6721 * `master` * 01d02794e02f051ea9a78cd63b30384de3e7c9b0 - sysdb: fix string comparison when checking for overrides * `sssd-2-9` * d104c01f1b3198779addee8178b10b047e64deb9 - sysdb: fix string comparison when checking for overrides