Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 862377

Summary: sssd, case sensitive usernames when connected to Windows 2008 R2.
Product: Red Hat Enterprise Linux 6 Reporter: hodson.chris
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED WORKSFORME QA Contact: Kaushik Banerjee <kbanerje>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0CC: grajaiya, jgalipea, jhrozek
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-16 16:27:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Requested information none

Description hodson.chris 2012-10-02 18:24:20 UTC
Description of problem:
Upgraded to latest sssd.
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.8.0                             Vendor: Red Hat, Inc.
Release     : 32.el6                        Build Date: Tue 29 May 2012 09:03:49 AM MST
Install Date: Tue 02 Oct 2012 09:25:38 AM MST      Build Host: x86-009.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.8.0-32.el6.src.rpm

Attempting to use case_sensitive=false for usernames. After utilizing this setting and restarting sssd, the usernames appear all lowercase in getent passwd. I am unable to use the username though. 

Ex. This is with the case_sensitive=false.
getent passwd

hodsonc:*:38493:4343242::/home/blah:/bin/bash

id hodsonc
id: hodsonc: No such user

If I turn case_sensitive=false back to true or comment it out, I am able to use this username. It appears as HodsonC when I turn off case_sensitive.
It is desirable to use case_sensitive=false in our environment in our attempted migration to AD from OpenLDAP.

Version-Release number of selected component (if applicable):
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.8.0                             Vendor: Red Hat, Inc.
Release     : 32.el6                        Build Date: Tue 29 May 2012 09:03:49 AM MST
Install Date: Tue 02 Oct 2012 09:25:38 AM MST      Build Host: x86-009.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.8.0-32.el6.src.rpm
Size        : 7888642                          License: GPLv3+
Signature   : RSA/8, Tue 29 May 2012 07:05:21 PM MST, Key ID 199e2f91fd431d51
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Description :


How reproducible: Every time


Steps to Reproduce:
1. Set case_sensitive=false in /etc/sssd/sssd.conf, restart sssd service
2. Attempt to login with now case insensitive username. user will not exist.
3. Set case_sensitive=true or comment out in /etc/sssd/sssd.conf. user will work again with case sensitive name.
  
Actual results:
Case sensitivity disable does not work.

Expected results:
A cased username, like HodsonC will work as hodsonc once case_sensitive =false.

Additional info:

Comment 1 hodson.chris 2012-10-02 18:25:20 UTC
Note this is while connected to a Windows 2008R2 Active Directory.

Comment 2 Stephen Gallagher 2012-10-02 18:29:17 UTC
Please attach the relevant sections of /var/log/secure, as well as a (sanitized) /etc/sssd/sssd.conf.

Ideally, please add 'debug_level = 8' to the [domain/DOMAINNAME] section, restart SSSD, reproduce the issue (with case_sensitive = False) and send us /var/log/sssd/sssd_DOMAINNAME.log and /var/log/sssd/krb5_child.log.

This will give us the information we need to debug your issue.

Comment 4 hodson.chris 2012-10-02 19:13:48 UTC
Created attachment 620456 [details]
Requested information

Comment 5 hodson.chris 2012-10-02 19:32:08 UTC
I missed the log for /var/log/secure. Here is a relevant line.


ct  2 12:31:00 rhel6adtest sshd[30743]: Invalid user hodsonc from 1.1.1.1
Oct  2 12:31:00 rhel6adtest sshd[30747]: input_userauth_request: invalid user hodsonc
Oct  2 12:31:01 rhel6adtest sshd[30747]: Connection closed by 1.1.1.1

Comment 6 Jakub Hrozek 2012-10-03 12:19:41 UTC
It seems that the SSSD cannot connect to the AD server:

------
(Tue Oct  2 11:48:37 2012) [sssd[be[default]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: RHEL6$@RHTEST.ORB
(Tue Oct  2 11:48:37 2012) [sssd[be[default]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error]
------

so my guess is that the getent is actually returning data from the cache only.

Do you need to use the ldap_sasl_authid you specified and not the default host/fqdn@REALM principal? I also wonder if the DNS resolution is OK in your environment..

Are you able to perform a search against the AD serve e.g. with ldapsearch -Y GSSAPI after acquiring the credentials with kinit -k ?

Comment 7 hodson.chris 2012-10-03 14:52:44 UTC
I'm not going to have a whole lot of time to test this with the latest version now... You can go ahead and close this out if you want. For now we will just be changing the pre 2000 credential to lower case. Before I lost connection to the AD server it was not working with the case insensitive switch enabled.

Comment 8 Jakub Hrozek 2012-10-04 04:47:20 UTC
A quick test in my environment went fine, I was able to id a MixedCase user with "id mixedcase". I tested with an LDAP server, not AD but I don't think that'd make much of a difference.

I can keep this bugzilla open for now, I'm just going to set the needinfo flag to indicate we need logs to be able to debug the issue further.

Comment 9 Jakub Hrozek 2012-10-16 16:27:45 UTC
I'm going to close this bug as the scenario described here works for me and there's not enough information on what the problem might be in your environment.

Please reopen if the bug strikes again. Thank you!