#2838 full_name_format and default_domain_suffix breaks supplemental AD trust groups
Closed: Fixed None Opened 3 years ago by orion.

Running IPA (4.1.0-18.sl7_1.4) with an AD trust. IPA domain is nwra.com, AD domain is ad.nwra.com. All users are in AD. Trying to use:

[sssd]
default_domain_suffix = ad.nwra.com
full_name_format = %1$s

on the clients to strip the domain from user names so that users do not have to concern themselves with domain info. This appears to break supplemental groups. With just default_domain_suffix I have:

# id orion
uid=22603(orion@ad.nwra.com) gid=22603(orion@ad.nwra.com) groups=22603(orion@ad.nwra.com),27124(andreas admins@ad.nwra.com),20512(domain admins@ad.nwra.com),20513(domain users@ad.nwra.com),24701(boulder@ad.nwra.com),24712(it@ad.nwra.com),24715(nwra-users@ad.nwra.com),27608(heimdall users@ad.nwra.com),24703(pirep rd users@ad.nwra.com),24714(wireless access@ad.nwra.com)

But with full_name_format = %1$s I get:

# id orion
uid=22603(orion) gid=22603(orion) groups=22603(orion)
}}} 
Client version is sssd-1.13.1-2.fc23

Without full_name_format, sssd_nwra.com.log shows:


[sssd[be[nwra.com]]] [get_groups_dns] (0x0400): Root domain uses fully-qualified names, objects might not be correctly added to groups with short names.
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [nwra-users@ad.nwra.com][name=nwra-users@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [orion@ad.nwra.com][name=orion@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [boulder@ad.nwra.com][name=boulder@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [heimdall users@ad.nwra.com][name=heimdall users@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [domain admins@ad.nwra.com][name=domain admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [domain users@ad.nwra.com][name=domain users@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [andreas admins@ad.nwra.com][name=andreas admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [it@ad.nwra.com][name=it@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [pirep rd users@ad.nwra.com][name=pirep rd users@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [wireless access@ad.nwra.com][name=wireless access@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x0400): Root domain uses fully-qualified names, objects might not be correctly added to groups with short names.
[sssd[be[nwra.com]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for orion@ad.nwra.com

[sssd[be[nwra.com]]] [ipa_s2n_save_objects] (0x0400): Processing group andreas admins@ad.nwra.com
[sssd[be[nwra.com]]] [process_members] (0x4000): Adding member [orion@ad.nwra.com][name=orion@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb]

With it:

[sssd[be[nwra.com]]] [get_groups_dns] (0x0400): Root domain uses fully-qualified names, objects might not be correctly added to groups with short names.
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [domain admins][name=domain admins,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [heimdall users][name=heimdall users,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [nwra-users][name=nwra-users,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [andreas admins][name=andreas admins,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [domain users][name=domain users,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [it][name=it,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [wireless access][name=wireless access,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [orion][name=orion,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [boulder][name=boulder,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [pirep rd users][name=pirep rd users,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x0400): Root domain uses fully-qualified names, objects might not be correctly added to groups with short names.
[sssd[be[nwra.com]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for orion

[sssd[be[nwra.com]]] [ipa_s2n_save_objects] (0x0400): Processing group andreas admins
[sssd[be[nwra.com]]] [process_members] (0x4000): Adding ghost member [orion@ad.nwra.com]

Looks like in the latter the groups members still have @ad.nwra.com so orion@ad.nwra.com gets added as a ghost member rather than a proper one?


That seems to be the right track, as "getent group nwra-users" returns an entry with the @ad.nwra.com suffix on all of the members. Presumably that should get stripped as well.

Thank you, I can reproduce now.

owner: somebody => jhrozek
status: new => assigned

The issue is that the subdomain users are (to avoid conflicts) normally saved with fully qualified names.

But unfortunately, the full_name_format also changes how the usernames are stored in the cache and the subdomains code just doesn't expect non-qualified usernames in the cache.

Since we already have first version of the patches that only use full_name_format for presentation of the data, not storing them, I would prefer to solve this ticket along with #2011

That sounds good. I was fairly surprised to see sssd store non-qualified names.

I'm moving the ticket to the same milestone that contains the sysdb refactoring.

milestone: NEEDS_TRIAGE => SSSD 1.14 alpha

Fields changed

rhbz: => todo

I have the sysdb refactoring in my local branch, but I need to release 1.14 alpha today, so moving to Beta.

milestone: SSSD 1.14 alpha => SSSD 1.14 beta

Still needs review and the new sysdb needs db version upgrade.

milestone: SSSD 1.14 beta => SSSD 1.14.0

Fields changed

patch: 0 => 1

Fields changed

resolution: => fixed
status: assigned => closed

Metadata Update from @orion:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.14.0

2 years ago

Login to comment on this ticket.

Metadata