[Freeipa-users] SSSD bug found? FreeIPA vs SSSD
Jakub Hrozek
jhrozek at redhat.com
Thu Mar 9 09:39:33 UTC 2017
On Thu, Mar 09, 2017 at 11:32:35AM +0200, Alexander Bokovoy wrote:
> On to, 09 maalis 2017, Jakub Hrozek wrote:
> > On Thu, Mar 09, 2017 at 01:37:46PM +1100, Lachlan Musicman wrote:
> > > Hola,
> > >
> > > On CentOS 7.3, using FreeIPA VERSION: 4.4.0, API_VERSION: 2.213 and sssd
> > > (via COPR) 1.15.1, which has a one way trust to an AD domain. unix.name.org
> > > -> name.org
> > >
> > > I've seen some interesting behaviour.
> > >
> > > Being part of a large organisation with a smaller nix environment and a
> > > larger Windows environment we see all the best of odd AD management
> > > behaviour (eg spaces in usernames...).
> > >
> > > Turns out some of the groups in AD have an @ symbol in them.
> > >
> > > The behavioural difference we see is: given userA in group "name @ of
> > > group" that on the FreeIPA server:
> > >
> > > [root at vmpr-freeipa.unix.name.org ~]# id userA at name.org
> > >
> > > works as expected.
> > >
> > > But on a client
> > >
> > > [root at vmpr-linuxclient1.unix.name.org ~]# id userA at name.org
> > >
> > > returns nothing.
> >
> > Yes, it is a know issue:
> > https://pagure.io/SSSD/sssd/issue/3219
> >
> > There were some users who reported this works better with a modified
> > re_expression:
> > re_expression = ((?P<name>.+)@(?P<domain>[^@]+$))
> > but I agree we should fix this by default. However, the fix must be done
> > at both the SSSD level and the IPA extdom plugin, which also searches
> > for the @-sign in the user and group names.
> Luckily, a change for extdom plugin seem to be straightforward -- search
> for the *last* occurence of the domain separator, not the first one. We
> had a similar issue with nfs idmapd code too.
Yes, the most tricky part would be testing, to make sure the new regular
expression doesn't break anything. I used the one I showed to unblock
some RHEL customers that were complaining and were a bit stuck, but I
didn't have enough time to run all our available tests with it, that's
why we didn't switch by default..
More information about the Freeipa-users
mailing list