#3545 SSSD creates bad override search filter due to AD Trust object with parenthesis
Closed: Fixed 3 years ago Opened 3 years ago by sbose.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1500087

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
Note this is not affecting the impacted customer at this time,
ignore_group_members = True was used to workaround this problem.

In the default SSSD AD Trust configuration, group membership lookups may lead
to unexpected user objects being retrieved and searched in the override/views
codepath. The '(' or ')' characters are allowed in AD but cause a bad search
filter to be created by SSSD.

...
[ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed:
[1432158245]: Malformed search filter

Version-Release number of selected component (if applicable):
sssd-1.15

How reproducible:
Always in customer environment

Steps to Reproduce:
1. Add user with '(' character as a member of group in Active Directory
2. Attempt to login as AD user in the same group, or any user which would
trigger getgr* calls to a group which returns this bad character user

Actual results:
Bad Search filter

Expected results:
Lookup succeeds

Additional info:
The following options were added to successfully workaround this problem:

subdomain_inherit = ignore_group_members
ignore_group_members = True

Metadata Update from @sbose:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1500087

3 years ago

Metadata Update from @sbose:
- Issue assigned to sbose

3 years ago

Metadata Update from @sbose:
- Issue set to the milestone: None

3 years ago

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue set to the milestone: SSSD 1.16.1
- Issue status updated to: Closed (was: Open)

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4571

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata