Issue #2717: well-known SID check is broken for NetBIOS prefixes - sssd

SSSD / sssd

#2717 well-known SID check is broken for NetBIOS prefixes

Closed: Fixed None Opened 3 years ago by abbra.

When AD user or group is specified using flatname (ADX\Domain Admins instead of Domain Admins@adx.test), and name to SID translation is requested, a check for well-known SID uses wrong expression to parse specified name, considers it wrong and bails out.

As result, it breaks FreeIPA resolving names to SIDs in 'ipa group-add-member --external' command.

Python 2.7.10 (default, Jul  5 2015, 14:15:43) 
[GCC 5.1.1 20150618 (Red Hat 5.1.1-4)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pysss_nss_idmap
>>> pysss_nss_idmap.getsidbyname('ADX\\Domain Admins')
{}
>>> pysss_nss_idmap.getsidbyname("ADX\\Domain Admins")
{}
>>> pysss_nss_idmap.getsidbyname('ADX\Domain Admins')
{}
>>> pysss_nss_idmap.getsidbyname("ADX\Domain Admins")
{}
>>>

If I specify an explicit 're_expression' that includes flatname prefix, things work:

# grep re_expression /etc/sssd/sssd.conf
re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))
# python
Python 2.7.10 (default, Jul  5 2015, 14:15:43) 
[GCC 5.1.1 20150618 (Red Hat 5.1.1-4)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pysss_nss_idmap
>>> pysss_nss_idmap.getsidbyname('ADX\Domain Admins')
{'ADX\\Domain Admins': {'type': 2, 'sid': u'S-1-5-21-3491614383-3036065072-3935721777-512'}}
>>>