#2189 Access denied for users from gc domain when using format DOMAIN\user
Closed: Fixed None Opened 6 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1048102

Description of problem:


Version-Release number of selected component (if applicable):
sssd-1.11.2-18.el7

How reproducible:
Always

Steps to Reproduce:
1. Domain section of sssd.conf has:
[domain/sssdad.com]
debug_level = 0xFFF0
id_provider = ad
use_fully_qualified_names = True
access_provider = simple
full_name_format = %3$s\%1$s
simple_allow_users = SSSDAD_TREE\user1_dom2,SSSDAD\user1_dom1

2. Try to login as user1_dom1
# ssh -l SSSDAD\\user1_dom1 localhost
SSSDAD\user1_dom1@localhost's password:
Connection closed by ::1

Domain log shows:
(Fri Jan  3 12:39:05 2014) [sssd[be[sssdad.com]]] [simple_access_check_send]
(0x0200): Simple access check for user1_dom1
(Fri Jan  3 12:39:05 2014) [sssd[be[sssdad.com]]] [simple_access_check_send]
(0x1000): No group restrictions, end request
(Fri Jan  3 12:39:05 2014) [sssd[be[sssdad.com]]] [simple_access_check_recv]
(0x1000): Access not granted

3. Try to login as user1_dom2
# ssh -l SSSDAD_TREE\\user1_dom2 localhost
SSSDAD_TREE\user1_dom2@localhost's password:
Last login: Fri Jan  3 12:27:57 2014 from localhost
-sh-4.2$

Domain log shows:
(Fri Jan  3 12:27:56 2014) [sssd[be[sssdad.com]]] [simple_access_check_send]
(0x0200): Simple access check for SSSDAD_TREE\user1_dom2
(Fri Jan  3 12:27:56 2014) [sssd[be[sssdad.com]]] [simple_check_users]
(0x1000): User [SSSDAD_TREE\user1_dom2] found in allow list, access granted.
(Fri Jan  3 12:27:56 2014) [sssd[be[sssdad.com]]] [simple_access_check_send]
(0x1000): No group restrictions, end request
(Fri Jan  3 12:27:56 2014) [sssd[be[sssdad.com]]] [simple_access_check_recv]
(0x1000): Access granted

Actual results:
Login as user1_dom1 fails

Expected results:
Login as user1_dom1 works

Additional info:

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => preichl
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.4

resolution: => fixed
status: new => closed

Fields changed

changelog: => Allows the administrator to use the NetBIOS domain name in the simple access provider.

Metadata Update from @jhrozek:
- Issue assigned to preichl
- Issue set to the milestone: SSSD 1.11.4

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3231

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata