[Freeipa-users] libsemanage updates fail due to AD user with space

[Lachlan Musicman]

On 3 April 2017 at 19:11, Jakub Hrozek <jhrozek at redhat.com> wrote:

> On Mon, Apr 03, 2017 at 11:00:21AM +1000, Lachlan Musicman wrote:
> >
> > With SSSD/IPA in use, in a one way trust to AD, and AD users have spaces
> in
> > their names, libsemanage fails to update:
> >
> > eg from recent monthly upgrade cycle:
> >
> > Updating   :
> > selinux-policy-targeted-3.13.1-102.el7_3.16.noarch
> > 3/14
> > libsemanage.parse_assert_ch: expected character ':', but found 'f'
> > (/etc/selinux/targeted/tmp/seusers.local: 5):
> > lastname firstname at domain.com:unconfined_u:s0-s0:c0.c1023 (No such file
> or
> > directory).
> > libsemanage.seuser_parse: could not parse seuser record (No such file or
> > directory).
> > libsemanage.dbase_file_cache: could not cache file database (No such file
> > or directory).
> > libsemanage.semanage_base_merge_components: could not merge local
> > modifications into policy (No such file or directory).
> >
>
> Hi,
> according to my quick testing this is solved with this PR:
>     https://github.com/SSSD/sssd/pull/189
> (Please note that we haven't ran all regression tests on this PR so I
> can't in fact tell if it's correct or not. The code does look OK,
> though).
>
> I was also able to work around the issue by setting:
>     override_space = _
> in sssd.conf
>


Thanks Jakub. The problem with the override_space = _ is that we also have
users with _ in their names. I understand that this could be any character,
but we decided that - given what we know about our AD - any character could
also be in a user name.

Looking forward to seeing the patch in upcoming releases.

Cheers
L.


------
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170404/98623623/attachment.htm>