Bug 969882 - Fully qualified account names form should be able to use flatname in the fq format
Fully qualified account names form should be able to use flatname in the fq f...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-02 17:56 EDT by Dmitri Pal
Modified: 2014-06-18 00:02 EDT (History)
4 users (show)

See Also:
Fixed In Version: sssd-1.10.0-10.el7.beta2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 07:39:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dmitri Pal 2013-06-02 17:56:57 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1648

Subdomains (and even IPA when configured with trusts) can be identified in 2 ways, fully qualified domain name and flatname.
When these subdomains are Windows AD trusted domains it would be nice to be able to fully qualify names using the flatname instead of the DNS name as windows environments use FLATNAME\username as the preferred form to qualify user names, and we should be able to provide this as a possibility.
Comment 1 Jakub Hrozek 2013-06-06 05:49:47 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1468
Comment 2 Jakub Hrozek 2013-10-04 09:25:15 EDT
Temporarily moving bugs to MODIFIED to work around errata tool bug
Comment 4 Steeve Goveas 2014-01-06 10:20:38 EST
* FLATNAME\username can be used in trusted environment

[root@dhcp207-43 ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adtest.qe
  Domain NetBIOS name: ADTEST
  Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16,
                          S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

[root@dhcp207-43 ~]# ipa idrange-find
----------------
3 ranges matched
----------------
  Range name: ADTEST.QE_id_range
  First Posix ID of the range: 1148400000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1910160501-511572375-3625658879
  Range type: Active Directory domain range

  Range name: PUNE.ADTEST.QE_id_range
  First Posix ID of the range: 839000000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-91314187-2404433721-1858927112
  Range type: Active Directory domain range

  Range name: TESTRELM.COM_id_range
  First Posix ID of the range: 1741800000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
----------------------------
Number of entries returned 3
----------------------------

[root@dhcp207-43 ~]# getent passwd 'PUNE\testu1'
testu1@pune.adtest.qe:*:839001108:839001108:testu1 user:/:

[root@dhcp207-43 ~]# getent passwd 'PUNE\adnew1'
adnew1@pune.adtest.qe:*:839001107:839001107:new user:/:

[root@dhcp207-43 ~]# getent passwd 'ADTEST\aduser2'
aduser2@adtest.qe:*:1148401314:1148401314:ads2 user:/:

[root@dhcp207-43 ~]# rpm -q ipa-server sssd
ipa-server-3.3.3-8.el7.x86_64
sssd-1.11.2-18.el7.x86_64
Comment 5 Kaushik Banerjee 2014-01-13 06:21:34 EST
Also automated as part of direct enrolment with sssd. Verified with version 1.11.2-18.el7

Snippet from beaker automation run:

user1_dom1@sssdad.com:*:770843877:770800513:user1_dom1:/:
:: [   PASS   ] :: Running 'getent passwd $AD_SERVER1_SHORT_REALM\\user1_dom1' (Expected 0, got 0)
user1_dom2@sssdad_tree.com:*:295201317:295201317:user1_dom2:/:
:: [   PASS   ] :: Running 'getent passwd $AD_SERVER2_SHORT_REALM\\user1_dom2' (Expected 0, got 0)
user1_dom3@child1.sssdad.com:*:1290801310:1290801310:user1_dom3:/:
:: [   PASS   ] :: Running 'getent passwd $AD_SERVER3_SHORT_REALM\\user1_dom3' (Expected 0, got 0)
Comment 6 Ludek Smid 2014-06-13 07:39:06 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.