#2189 Access denied for users from gc domain when using format DOMAIN\user
Closed: Fixed None Opened 5 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1048102

Description of problem:


Version-Release number of selected component (if applicable):
sssd-1.11.2-18.el7

How reproducible:
Always

Steps to Reproduce:
1. Domain section of sssd.conf has:
[domain/sssdad.com]
debug_level = 0xFFF0
id_provider = ad
use_fully_qualified_names = True
access_provider = simple
full_name_format = %3$s\%1$s
simple_allow_users = SSSDAD_TREE\user1_dom2,SSSDAD\user1_dom1

2. Try to login as user1_dom1
# ssh -l SSSDAD\\user1_dom1 localhost
SSSDAD\user1_dom1@localhost's password:
Connection closed by ::1

Domain log shows:
(Fri Jan  3 12:39:05 2014) [sssd[be[sssdad.com]]] [simple_access_check_send]
(0x0200): Simple access check for user1_dom1
(Fri Jan  3 12:39:05 2014) [sssd[be[sssdad.com]]] [simple_access_check_send]
(0x1000): No group restrictions, end request
(Fri Jan  3 12:39:05 2014) [sssd[be[sssdad.com]]] [simple_access_check_recv]
(0x1000): Access not granted

3. Try to login as user1_dom2
# ssh -l SSSDAD_TREE\\user1_dom2 localhost
SSSDAD_TREE\user1_dom2@localhost's password:
Last login: Fri Jan  3 12:27:57 2014 from localhost
-sh-4.2$

Domain log shows:
(Fri Jan  3 12:27:56 2014) [sssd[be[sssdad.com]]] [simple_access_check_send]
(0x0200): Simple access check for SSSDAD_TREE\user1_dom2
(Fri Jan  3 12:27:56 2014) [sssd[be[sssdad.com]]] [simple_check_users]
(0x1000): User [SSSDAD_TREE\user1_dom2] found in allow list, access granted.
(Fri Jan  3 12:27:56 2014) [sssd[be[sssdad.com]]] [simple_access_check_send]
(0x1000): No group restrictions, end request
(Fri Jan  3 12:27:56 2014) [sssd[be[sssdad.com]]] [simple_access_check_recv]
(0x1000): Access granted

Actual results:
Login as user1_dom1 fails

Expected results:
Login as user1_dom1 works

Additional info:

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => preichl
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.4

resolution: => fixed
status: new => closed

Fields changed

changelog: => Allows the administrator to use the NetBIOS domain name in the simple access provider.

Metadata Update from @jhrozek:
- Issue assigned to preichl
- Issue set to the milestone: SSSD 1.11.4

2 years ago

Login to comment on this ticket.

Metadata