906375 – names of domain_realm mapping files in SSSD contain dots

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 906375 - names of domain_realm mapping files in SSSD contain dots

Summary: names of domain_realm mapping files in SSSD contain dots

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-01-31 14:33 UTC by Dmitri Pal
Modified:	2020-05-02 17:15 UTC (History)
CC List:	6 users (show)
Fixed In Version:	sssd-1.10.0-1.el7.alpha1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 12:11:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2837	0	None	closed	names of domain_realm mapping files in SSSD contain dots	2020-05-02 17:15:56 UTC

Description Dmitri Pal 2013-01-31 14:33:43 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1795

https://bugzilla.redhat.com/show_bug.cgi?id=905650 (''Fedora'')

{{{
Description of problem:
the name of explicit mapping file generated by SSSD in
/var/lib/sss/pubconf/krb5.include.d/ contains non-filtered domain name, which
contains dot.

krb5.conf manual page states that includedir statement allows to source all
files which names are constructed from alpha-numeric chars, dashes and
underscores.

Files with other characters are ignored. So dots as in
domain_realm_example.com are ignored and our mapping is never sourced.

This prevents explicit mapping for trusted domains in FreeIPA to not work.
}}}

Comment 1 Jakub Hrozek 2013-03-26 18:10:12 UTC

Fixed upstream.

Comment 2 Jakub Hrozek 2013-10-04 13:23:04 UTC

Temporarily moving bugs to MODIFIED to work around errata tool bug

Comment 4 Jenny Severance 2013-12-18 13:28:30 UTC

Can you please add steps to reproduce/verify this bug?  Thanks!

Comment 5 Jakub Hrozek 2013-12-18 13:46:58 UTC

1. This test requires a setup with trusts.
2. Start the SSSD service. Make sure it's online after it starts.
3. Look into /var/lib/sss/pubconf/krb5.include.d/
  - Before the patch, there would file a file named domain_realm_$IPA_DOMAIN. Typically, the IPA domain contains dots and before the patch, the file would contain dots as well. This caused libkrb5 to skip the file
  - After the patch, the dots should be substituted for underscores. On my test setup, the file is called domain_realm_ipatest_example_com (and my domain is called IPATEST.EXAMPLE.COM)

Comment 6 Steeve Goveas 2014-01-30 13:21:43 UTC

* File exists with underscores after ipa server install and before trust add

[root@dhcp207-218 ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_newdom_qe
[domain_realm]

[root@dhcp207-218 ~]# echo Secret123 | ipa trust-add adtest.qe --type ad --admin administrator --password
--------------------------------------------------
Added Active Directory trust for realm "adtest.qe"
--------------------------------------------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@dhcp207-218 ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_newdom_qe
[domain_realm]

[root@dhcp207-218 ~]# ipa trustdomain-find adtest.qe
  Domain name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  Domain enabled: True

  Domain name: pune.adtest.qe
  Domain NetBIOS name: PUNE
  Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112
  Domain enabled: True
----------------------------
Number of entries returned 2
----------------------------

[root@dhcp207-218 ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_newdom_qe
[domain_realm]

[root@dhcp207-218 ~]# getent passwd testu1.qe
testu1.qe:*:839001108:839001108:testu1 user:/home/pune.adtest.qe/testu1:

* File contents get added as expected after a while or when a lookup is done for a user in trusted domain

[root@dhcp207-218 ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_newdom_qe
[domain_realm]
.adtest.qe = ADTEST.QE
adtest.qe = ADTEST.QE
.pune.adtest.qe = PUNE.ADTEST.QE
pune.adtest.qe = PUNE.ADTEST.QE
[capaths]
PUNE.ADTEST.QE = {
  NEWDOM.QE = ADTEST.QE
}
NEWDOM.QE = {
  PUNE.ADTEST.QE = ADTEST.QE
}

Comment 7 Ludek Smid 2014-06-13 12:11:59 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.