969882 – Fully qualified account names form should be able to use flatname in the fq format

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 969882 - Fully qualified account names form should be able to use flatname in the fq format

Summary: Fully qualified account names form should be able to use flatname in the fq f...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-06-02 21:56 UTC by Dmitri Pal
Modified:	2020-05-02 17:06 UTC (History)
CC List:	4 users (show)
Fixed In Version:	sssd-1.10.0-10.el7.beta2
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 11:39:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2510	0	None	closed	[RFE] AD: Should be able to log in as long or short domains	2020-05-27 06:17:39 UTC
Github	SSSD sssd issues 2690	0	None	closed	Fully qualified account names form should be able to use flatname in the fq format	2020-05-27 06:17:41 UTC

Description Dmitri Pal 2013-06-02 21:56:57 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1648

Subdomains (and even IPA when configured with trusts) can be identified in 2 ways, fully qualified domain name and flatname.
When these subdomains are Windows AD trusted domains it would be nice to be able to fully qualify names using the flatname instead of the DNS name as windows environments use FLATNAME\username as the preferred form to qualify user names, and we should be able to provide this as a possibility.

Comment 1 Jakub Hrozek 2013-06-06 09:49:47 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1468

Comment 2 Jakub Hrozek 2013-10-04 13:25:15 UTC

Temporarily moving bugs to MODIFIED to work around errata tool bug

Comment 4 Steeve Goveas 2014-01-06 15:20:38 UTC

* FLATNAME\username can be used in trusted environment

[root@dhcp207-43 ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

[root@dhcp207-43 ~]# ipa idrange-find
----------------
3 ranges matched
----------------
  Range name: ADTEST.QE_id_range
  First Posix ID of the range: 1148400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
  Range type: Active Directory domain range

  Range name: PUNE.ADTEST.QE_id_range
  First Posix ID of the range: 839000000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-91314187-2404433721-1858927112
  Range type: Active Directory domain range

  Range name: TESTRELM.COM_id_range
  First Posix ID of the range: 1741800000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 3
----------------------------

[root@dhcp207-43 ~]# getent passwd 'PUNE\testu1'
testu1.qe:*:839001108:839001108:testu1 user:/:

[root@dhcp207-43 ~]# getent passwd 'PUNE\adnew1'
adnew1.qe:*:839001107:839001107:new user:/:

[root@dhcp207-43 ~]# getent passwd 'ADTEST\aduser2'
aduser2:*:1148401314:1148401314:ads2 user:/:

[root@dhcp207-43 ~]# rpm -q ipa-server sssd
ipa-server-3.3.3-8.el7.x86_64
sssd-1.11.2-18.el7.x86_64

Comment 5 Kaushik Banerjee 2014-01-13 11:21:34 UTC

Also automated as part of direct enrolment with sssd. Verified with version 1.11.2-18.el7

Snippet from beaker automation run:

user1_dom1:*:770843877:770800513:user1_dom1:/:
:: [   PASS   ] :: Running 'getent passwd $AD_SERVER1_SHORT_REALM\\user1_dom1' (Expected 0, got 0)
user1_dom2:*:295201317:295201317:user1_dom2:/:
:: [   PASS   ] :: Running 'getent passwd $AD_SERVER2_SHORT_REALM\\user1_dom2' (Expected 0, got 0)
user1_dom3.com:*:1290801310:1290801310:user1_dom3:/:
:: [   PASS   ] :: Running 'getent passwd $AD_SERVER3_SHORT_REALM\\user1_dom3' (Expected 0, got 0)

Comment 6 Ludek Smid 2014-06-13 11:39:06 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.