#2838 full_name_format and default_domain_suffix breaks supplemental AD trust groups
Closed: Fixed None Opened 5 years ago by orion.

Running IPA (4.1.0-18.sl7_1.4) with an AD trust. IPA domain is nwra.com, AD domain is ad.nwra.com. All users are in AD. Trying to use:

[sssd]
default_domain_suffix = ad.nwra.com
full_name_format = %1$s

on the clients to strip the domain from user names so that users do not have to concern themselves with domain info. This appears to break supplemental groups. With just default_domain_suffix I have:

# id orion
uid=22603(orion@ad.nwra.com) gid=22603(orion@ad.nwra.com) groups=22603(orion@ad.nwra.com),27124(andreas admins@ad.nwra.com),20512(domain admins@ad.nwra.com),20513(domain users@ad.nwra.com),24701(boulder@ad.nwra.com),24712(it@ad.nwra.com),24715(nwra-users@ad.nwra.com),27608(heimdall users@ad.nwra.com),24703(pirep rd users@ad.nwra.com),24714(wireless access@ad.nwra.com)

But with full_name_format = %1$s I get:

# id orion
uid=22603(orion) gid=22603(orion) groups=22603(orion)
}}} 
Client version is sssd-1.13.1-2.fc23

Without full_name_format, sssd_nwra.com.log shows:


[sssd[be[nwra.com]]] [get_groups_dns] (0x0400): Root domain uses fully-qualified names, objects might not be correctly added to groups with short names.
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [nwra-users@ad.nwra.com][name=nwra-users@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [orion@ad.nwra.com][name=orion@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [boulder@ad.nwra.com][name=boulder@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [heimdall users@ad.nwra.com][name=heimdall users@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [domain admins@ad.nwra.com][name=domain admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [domain users@ad.nwra.com][name=domain users@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [andreas admins@ad.nwra.com][name=andreas admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [it@ad.nwra.com][name=it@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [pirep rd users@ad.nwra.com][name=pirep rd users@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [wireless access@ad.nwra.com][name=wireless access@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x0400): Root domain uses fully-qualified names, objects might not be correctly added to groups with short names.
[sssd[be[nwra.com]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for orion@ad.nwra.com

[sssd[be[nwra.com]]] [ipa_s2n_save_objects] (0x0400): Processing group andreas admins@ad.nwra.com
[sssd[be[nwra.com]]] [process_members] (0x4000): Adding member [orion@ad.nwra.com][name=orion@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb]

With it:

[sssd[be[nwra.com]]] [get_groups_dns] (0x0400): Root domain uses fully-qualified names, objects might not be correctly added to groups with short names.
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [domain admins][name=domain admins,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [heimdall users][name=heimdall users,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [nwra-users][name=nwra-users,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [andreas admins][name=andreas admins,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [domain users][name=domain users,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [it][name=it,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [wireless access][name=wireless access,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [orion][name=orion,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [boulder][name=boulder,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [pirep rd users][name=pirep rd users,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x0400): Root domain uses fully-qualified names, objects might not be correctly added to groups with short names.
[sssd[be[nwra.com]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for orion

[sssd[be[nwra.com]]] [ipa_s2n_save_objects] (0x0400): Processing group andreas admins
[sssd[be[nwra.com]]] [process_members] (0x4000): Adding ghost member [orion@ad.nwra.com]

Looks like in the latter the groups members still have @ad.nwra.com so orion@ad.nwra.com gets added as a ghost member rather than a proper one?


That seems to be the right track, as "getent group nwra-users" returns an entry with the @ad.nwra.com suffix on all of the members. Presumably that should get stripped as well.

Thank you, I can reproduce now.

owner: somebody => jhrozek
status: new => assigned

The issue is that the subdomain users are (to avoid conflicts) normally saved with fully qualified names.

But unfortunately, the full_name_format also changes how the usernames are stored in the cache and the subdomains code just doesn't expect non-qualified usernames in the cache.

Since we already have first version of the patches that only use full_name_format for presentation of the data, not storing them, I would prefer to solve this ticket along with #2011

That sounds good. I was fairly surprised to see sssd store non-qualified names.

I'm moving the ticket to the same milestone that contains the sysdb refactoring.

milestone: NEEDS_TRIAGE => SSSD 1.14 alpha

Fields changed

rhbz: => todo

I have the sysdb refactoring in my local branch, but I need to release 1.14 alpha today, so moving to Beta.

milestone: SSSD 1.14 alpha => SSSD 1.14 beta

Still needs review and the new sysdb needs db version upgrade.

milestone: SSSD 1.14 beta => SSSD 1.14.0

Fields changed

patch: 0 => 1

Fields changed

resolution: => fixed
status: assigned => closed

Metadata Update from @orion:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.14.0

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3879

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata