#2929 NSS responder does not lowercase AD external group members
Closed: Fixed None Opened 6 years ago by jhrozek.

With a group membership defined like this:

$ ipa group-find
  Group name: l_idm_admin
  GID: 1190000005
  Member groups: l_idm_admin_external

  Group name: l_idm_admin_external
  Member of groups: l_idm_admin

$ ipa group-show l_idm_admin_external
  Group name: l_idm_admin_external
  Member of groups: l_idm_admin
  External member: administrator@win.trust.test

The output of getpwnam for the IPA group doesn't uppercase the AD member:

$ getent group l_idm_admin

The reason is that we always use the parent domain's case_preserving
flag. That's OK for most cases, but in IPA-AD case, the IPA domain and
AD domain differ in the case_preserving flag. We should always use the
member's domain flag.

Fields changed

cc: => abbra

So I have a WIP patch, but with the current 'guessing' of which domain we're talking to based on qualified and non-qualified name, it's just fugly.

Unless abbra needs this fix for his slapi-nis work, I would prefer to do the fix properly, along with the sysdb refactoring.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.14 alpha

Fields changed

rhbz: => todo

Fields changed

owner: somebody => jhrozek
status: new => assigned

This already works with the refactored sysdb, but needs review.

milestone: SSSD 1.14 alpha => SSSD 1.14 beta

Still needs review and the new sysdb needs db version upgrade.

milestone: SSSD 1.14 beta => SSSD 1.14.0

Fields changed

patch: 0 => 1

Fixed in e6b6b9f..c88b63b

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.14.0

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3970

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.