Learn more about these different git repos.
Other Git URLs
Running IPA (4.1.0-18.sl7_1.4) with an AD trust. IPA domain is nwra.com, AD domain is ad.nwra.com. All users are in AD. Trying to use:
[sssd] default_domain_suffix = ad.nwra.com full_name_format = %1$s
on the clients to strip the domain from user names so that users do not have to concern themselves with domain info. This appears to break supplemental groups. With just default_domain_suffix I have:
# id orion uid=22603(orion@ad.nwra.com) gid=22603(orion@ad.nwra.com) groups=22603(orion@ad.nwra.com),27124(andreas admins@ad.nwra.com),20512(domain admins@ad.nwra.com),20513(domain users@ad.nwra.com),24701(boulder@ad.nwra.com),24712(it@ad.nwra.com),24715(nwra-users@ad.nwra.com),27608(heimdall users@ad.nwra.com),24703(pirep rd users@ad.nwra.com),24714(wireless access@ad.nwra.com)
But with full_name_format = %1$s I get:
# id orion uid=22603(orion) gid=22603(orion) groups=22603(orion) }}} Client version is sssd-1.13.1-2.fc23 Without full_name_format, sssd_nwra.com.log shows: [sssd[be[nwra.com]]] [get_groups_dns] (0x0400): Root domain uses fully-qualified names, objects might not be correctly added to groups with short names. [sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [nwra-users@ad.nwra.com][name=nwra-users@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb]. [sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [orion@ad.nwra.com][name=orion@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb]. [sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [boulder@ad.nwra.com][name=boulder@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb]. [sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [heimdall users@ad.nwra.com][name=heimdall users@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb]. [sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [domain admins@ad.nwra.com][name=domain admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb]. [sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [domain users@ad.nwra.com][name=domain users@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb]. [sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [andreas admins@ad.nwra.com][name=andreas admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb]. [sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [it@ad.nwra.com][name=it@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb]. [sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [pirep rd users@ad.nwra.com][name=pirep rd users@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb]. [sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [wireless access@ad.nwra.com][name=wireless access@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb]. [sssd[be[nwra.com]]] [get_groups_dns] (0x0400): Root domain uses fully-qualified names, objects might not be correctly added to groups with short names. [sssd[be[nwra.com]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for orion@ad.nwra.com [sssd[be[nwra.com]]] [ipa_s2n_save_objects] (0x0400): Processing group andreas admins@ad.nwra.com [sssd[be[nwra.com]]] [process_members] (0x4000): Adding member [orion@ad.nwra.com][name=orion@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb]
With it:
[sssd[be[nwra.com]]] [get_groups_dns] (0x0400): Root domain uses fully-qualified names, objects might not be correctly added to groups with short names. [sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [domain admins][name=domain admins,cn=groups,cn=nwra.com,cn=sysdb]. [sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [heimdall users][name=heimdall users,cn=groups,cn=nwra.com,cn=sysdb]. [sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [nwra-users][name=nwra-users,cn=groups,cn=nwra.com,cn=sysdb]. [sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [andreas admins][name=andreas admins,cn=groups,cn=nwra.com,cn=sysdb]. [sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [domain users][name=domain users,cn=groups,cn=nwra.com,cn=sysdb]. [sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [it][name=it,cn=groups,cn=nwra.com,cn=sysdb]. [sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [wireless access][name=wireless access,cn=groups,cn=nwra.com,cn=sysdb]. [sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [orion][name=orion,cn=groups,cn=nwra.com,cn=sysdb]. [sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [boulder][name=boulder,cn=groups,cn=nwra.com,cn=sysdb]. [sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [pirep rd users][name=pirep rd users,cn=groups,cn=nwra.com,cn=sysdb]. [sssd[be[nwra.com]]] [get_groups_dns] (0x0400): Root domain uses fully-qualified names, objects might not be correctly added to groups with short names. [sssd[be[nwra.com]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for orion [sssd[be[nwra.com]]] [ipa_s2n_save_objects] (0x0400): Processing group andreas admins [sssd[be[nwra.com]]] [process_members] (0x4000): Adding ghost member [orion@ad.nwra.com]
Looks like in the latter the groups members still have @ad.nwra.com so orion@ad.nwra.com gets added as a ghost member rather than a proper one?
That seems to be the right track, as "getent group nwra-users" returns an entry with the @ad.nwra.com suffix on all of the members. Presumably that should get stripped as well.
Thank you, I can reproduce now.
owner: somebody => jhrozek status: new => assigned
The issue is that the subdomain users are (to avoid conflicts) normally saved with fully qualified names.
But unfortunately, the full_name_format also changes how the usernames are stored in the cache and the subdomains code just doesn't expect non-qualified usernames in the cache.
Since we already have first version of the patches that only use full_name_format for presentation of the data, not storing them, I would prefer to solve this ticket along with #2011
That sounds good. I was fairly surprised to see sssd store non-qualified names.
I'm moving the ticket to the same milestone that contains the sysdb refactoring.
milestone: NEEDS_TRIAGE => SSSD 1.14 alpha
Fields changed
rhbz: => todo
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1287209 (Red Hat Enterprise Linux 7)
rhbz: todo => [https://bugzilla.redhat.com/show_bug.cgi?id=1287209 1287209]
I have the sysdb refactoring in my local branch, but I need to release 1.14 alpha today, so moving to Beta.
milestone: SSSD 1.14 alpha => SSSD 1.14 beta
Still needs review and the new sysdb needs db version upgrade.
milestone: SSSD 1.14 beta => SSSD 1.14.0
patch: 0 => 1
Fixed in e6b6b9f..c88b63b
resolution: => fixed status: assigned => closed
Metadata Update from @orion: - Issue assigned to jhrozek - Issue set to the milestone: SSSD 1.14.0
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3879
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.