Is there a option in SSSD or the plugin to turn off the normalization ? On Tue, May 30, 2017 at 2:27 PM, Alexander Bokovoy <aboko...@redhat.com> wrote:
> On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote: > >> So I took a brand new user that I have never used in the system before (I >> checked that the entry was not in the compat tree) and just ran an "id" >> command on Solaris system. I then looked in the >> /var/log/dirsrv/slapd-<ipa >> domain>/access log file on the ipa server, for the query and from the log >> file, the query came in as all caps. >> >> example: >> [~]$: id 831...@win.mydomin.com >> >> [~]$: cat /var/log/dirsrv/slapd-<ipa domain>/access |grep 831413 >> [30/May/2017:13:34:38.637498942 -0400] conn=94124 op=622 SRCH >> base="cn=users,cn=compat,dc=ipa,dc=mydomain,dc=com" scope=1 >> filter="(&(objectClass=posixAccount)(uid=831...@win.mydomin.com))" >> attrs="cn uid uidNumber gidNumber gecos description homeDirectory >> loginShell" >> [30/May/2017:13:34:38.651811322 -0400] conn=94124 op=622 RESULT err=0 >> tag=101 nentries=1 etime=0 >> >> However, the entry in the compat tree is all lowercase just like I >> reported. I can reproduce this easily. >> > memberUid value comes from SSSD look up. SSSD normalizes all names to > low case. > > For group names, I'm not sure they are normalized, though. > > > > >> Robert Johnson >> >> On Tue, May 30, 2017 at 1:10 PM, Alexander Bokovoy <aboko...@redhat.com> >> wrote: >> >> On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote: >>> >>> Red Hat Enterprise Linux Server release 7.3 >>>> ipa-server-4.4.0-14.el7_3.4.x86_64 >>>> 389-ds-base-1.3.5.10-15.el7_3.x86_64 >>>> sssd-1.14.0-43.el7_3.11.x86_64 >>>> >>>> When looking at entries in the "cn=groups,cn=compat" tree, I noticed >>>> that >>>> the entries for windows groups have the realm portion of the group name >>>> in >>>> all caps. This is true for the comment, the dn and the cn. >>>> example: >>>> # domain us...@win.mydomain.com, groups, compat, ipa.mydomain.com >>>> dn: cn=domain us...@win.mydomain.com >>>> ,cn=groups,cn=compat,dc=ipa,dc=mydomain,dc=com >>>> memberUid: 123...@win.mydomain.com >>>> cn: domain us...@win.mydomain.com >>>> >>>> When I look at the entries in the "cn=users,cn=compat" tree, the realm >>>> portion of the user name is all lower case. Incidentally, these same >>>> user >>>> names are also all lowercase in the "memberUid" option on the groups >>>> above. >>>> example: >>>> # 123...@win.mydomain.com, users, compat, ipa.mydomain.com >>>> dn: uid=123...@win.mydomain.com,cn=users,cn=compat,dc=ipa,dc=myd >>>> omain,dc=com >>>> homeDirectory: /home/win.mydomain.com/123456 >>>> uid: 123...@win.mydomain.com >>>> >>>> Was this by design ? >>>> >>>> Users and groups for AD users are inserted into the compat tree on >>> demand, when a request comes mentioning them via LDAP query. The name is >>> taken from the LDAP query. >>> >>> So it is your application(s) that are asking fully qualified user/group >>> names with domain part capitalized. >>> >>> >>> The reason I ask, is that when I try to use the "kinit" feature on our >>> >>>> Solaris 10 systems (which is joined to the IPA domain) for this windows >>>> user, I get an error. >>>> >>>> [~]$ kinit >>>> Password for 123...@win.mydomain.com: >>>> kinit(v5): KDC reply did not match expectations while getting initial >>>> credentials >>>> >>>> If I run it like this: >>>> [~]$ kinit 123...@win.mydomain.com >>>> Password for 123...@win.mydomain.com: >>>> [~]$ klist >>>> Ticket cache: FILE:/tmp/krb5cc_1683378846 >>>> Default principal: 123...@win.mydomain.com >>>> >>>> Valid starting Expires Service principal >>>> 05/30/17 11:44:35 05/30/17 21:44:40 krbtgt/ >>>> win.mydomain....@win.mydomain.com >>>> renew until 06/06/17 11:44:35 >>>> >>>> I believe this is due to the fact that the Solaris 10 system is using >>>> the >>>> lowercase entry in the compat tree above. Here is the result of the ID >>>> command on this user: >>>> [~]$ id >>>> uid=1683378846(123...@win.mydomain.com) gid=1683378846( >>>> 123...@win.mydomain.com) >>>> >>>> I know this is a work around but I would prefer to make this easier on >>>> the >>>> end users. Any suggestions ? >>>> >>>> You mix up Kerberos principals and user identities. They are different. >>> In Kerberos protocol realm is case-sensitive. WIN.MYDOMAIN.COM is not >>> the same realm as win.mydomain.com. On Active Directory side this is >>> hidden behind the Windows UI facade but on UNIX systems Kerberos >>> libraries aren't hiding this fact. >>> >>> That's why you get "KDC reply did not match expectations .." error >>> message -- a realm name is used as part of Kerberos exchange and it is >>> expected to be all upper cases. >>> >>> On identity front you have probably configured your Solaris systems to >>> look up identities with upper cased fqdn and compat tree plugin inserts >>> those as it is. I certainly don't see this behavior with other systems. >>> >>> -- >>> / Alexander Bokovoy >>> >>> > _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedo >> rahosted.org >> > > > -- > / Alexander Bokovoy >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org