Bug 768168 - [RFE] Allow Constructing uid from Active Directory objectSid
Summary: [RFE] Allow Constructing uid from Active Directory objectSid
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.0
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 736854 998474
TreeView+ depends on / blocked
 
Reported: 2011-12-15 22:25 UTC by Dmitri Pal
Modified: 2020-05-02 16:25 UTC (History)
4 users (show)

Fixed In Version: sssd-1.9.1-1.el6
Doc Type: Enhancement
Doc Text:
Cause: Some Active Directory deployments do not carry the POSIX attributes such as UID number at all. Consequence: In order to use accounts from Active Directory in a Linux environment, the AD administrators would have to enable a special Services for UNIX extenstion with older AD servers and assign UID and GID numbers. Change: A new ID mapping library was implemented in the SSSD. The ID mapping library is capable of automatically generating UNIX IDs from Windows Security Identifiers (SIDs) Result: The administrator is able to use Windows accounts easily in a UNIX environment.
Clone Of:
Environment:
Last Closed: 2013-02-21 09:34:48 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2038 0 None None None 2020-05-02 16:25:18 UTC
Red Hat Product Errata RHSA-2013:0508 0 normal SHIPPED_LIVE Low: sssd security, bug fix and enhancement update 2013-02-20 21:30:10 UTC

Description Dmitri Pal 2011-12-15 22:25:15 UTC 
In Active Directory with no Identity Management for Unix Role Service enabled there is no uid attribute available but the user id could be constructed from objectSid. This is what winbind's idmap_rid(8) and nss-pam-ldapd do:

 http://www.samba.org/samba/docs/man/manpages-3/idmap_rid.8.html
 http://lists.arthurdejong.org/nss-pam-ldapd-users/2011/msg00213.html
 http://arthurdejong.org/viewvc/nss-pam-ldapd?view=revision&revision=1425

It would make using SSSD against AD easier if something like this would be available in SSSD, too.

https://fedorahosted.org/sssd/ticket/996
Comment 1 RHEL Program Management 2012-07-10 07:07:02 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 2 RHEL Program Management 2012-07-11 02:03:16 UTC 
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 4 Kaushik Banerjee 2012-11-16 08:54:16 UTC 
Verified in version 1.9.2-13

Report from baker automation run:
[   PASS   ]      idmap_001 ldap provider
[   PASS   ]      idmap_002 ldap provider,idmapping=false
[   PASS   ]      idmap_003 ldap_idmap_range_size is more than the difference of max-min
[   PASS   ]      idmap_004 ldap_idmap_range_min is negative
[   PASS   ]      idmap_005 ldap_idmap_range_max or ldap_idmap_range_min is a very large
[   PASS   ]      idmap_006 All values are negative
[   PASS   ]      idmap_007 ldap_idmap_range_min is zero
[   PASS   ]      idmap_008 ldap_idmap_range_max is less than ldap_idmap_range_min
[   PASS   ]      idmap_009 ldap_idmap_default_domain_sid=junk
[   PASS   ]      idmap_010 ldap_idmap_default_domain_sid=<doesn't match the AD domain sid>
[   PASS   ]      idmap_011 ldap_idmap_default_domain_sid=<matches the AD domain sid>
[   PASS   ]      idmap_012 ldap_idmap_autorid_compat=true and ldap_idmap_default_domain_sid is not mentioned
[   PASS   ]      idmap_013 ldap_idmap_autorid_compat=true and and ldap_idmap_default_domain_sid is not matching the AD domain SID
Comment 5 errata-xmlrpc 2013-02-21 09:34:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html
Note You need to log in before you can comment on or make changes to this bug.