On Wed, Dec 18, 2013 at 09:43:11PM +0100, Sumit Bose wrote: > On Wed, Dec 18, 2013 at 03:30:41PM +0100, Jakub Hrozek wrote: > > On Mon, Dec 16, 2013 at 03:49:01PM +0100, Sumit Bose wrote: > > > On Thu, Dec 05, 2013 at 01:56:41PM +0100, Jakub Hrozek wrote: > > > > On Wed, Dec 04, 2013 at 05:56:30PM +0100, Sumit Bose wrote: > > > > > On Wed, Dec 04, 2013 at 05:22:06PM +0100, Jakub Hrozek wrote: > > > > > > On Wed, Dec 04, 2013 at 10:42:52AM +0100, Sumit Bose wrote: > > > > > > > On Tue, Dec 03, 2013 at 02:01:27PM +0100, Jakub Hrozek wrote: > > > > > > > > On Thu, Nov 28, 2013 at 05:55:44PM +0100, Sumit Bose wrote: > > > > > > > > > On Wed, Nov 27, 2013 at 02:50:35PM +0100, Jakub Hrozek wrote: > > > > > > > > > > On Tue, Nov 26, 2013 at 11:51:41AM +0100, Sumit Bose wrote: > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > > > Steeve found some issues when testing sss_cache with > > > > > > > > > > > sub-domain users. > > > > > > > > > > > This was originally fixed in > > > > > > > > > > > https://fedorahosted.org/sssd/ticket/1741 > > > > > > > > > > > but I guess recent changes have broken it again. > > > > > > > > > > > > > > > > > > > > > > I have tested the patches with users and groups. It would > > > > > > > > > > > be nice is > > > > > > > > > > > someone with a suitable environment can test them for the > > > > > > > > > > > other object > > > > > > > > > > > types as well. > > > > > > > > > > > > > > > > > > > > > > bye, > > > > > > > > > > > Sumit > > > > > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > during testing I found out that there is a difference in > > > > > > > > > > how we store > > > > > > > > > > the nameAlias attribute for subdomain users retrieved with > > > > > > > > > > the exended > > > > > > > > > > operation to IPA and subdomain users that are stored with > > > > > > > > > > the LDAP > > > > > > > > > > provider. > > > > > > > > > > > > > > > > > > > > The IPA subdomain users have lowercase the whole alias (so > > > > > > > > > > typically > > > > > > > > > > user@windows.domain) while the LDAP users have only the > > > > > > > > > > name component > > > > > > > > > > lowercased (user@WINDOWS.DOMAIN). Currently sss_cache only > > > > > > > > > > works with he > > > > > > > > > > latter. > > > > > > > > > > > > > > > > > > > > As discussed on IRC, we should pick on scheme and use it, > > > > > > > > > > ideally with > > > > > > > > > > some helper function. > > > > > > > > > > > > > > > > > > I added two new patches to fix this. 0003 adds a new call to > > > > > > > > > add a lower > > > > > > > > > case alias name to a sysdb_attrs struct and 0004 replace > > > > > > > > > current code > > > > > > > > > with the new call. > > > > > > > > > > > > > > > > > > bye, > > > > > > > > > Sumit > > > > > > > > > > > > > > > > After testing the patches I think the issue is a bit more > > > > > > > > complex. I > > > > > > > > hope I can explain the problem clearly. We can only consider > > > > > > > > subdomain > > > > > > > > users and hence FQDN lookups for the problem. > > > > > > > > > > > > > > > > In the responder code, the lookup will be performed for > > > > > > > > user@DOMAIN_NAME, > > > > > > > > where DOMAIN_NAME is exactly the same case as domain name in > > > > > > > > the confdb. > > > > > > > > So unfortunately lowercasing the whole alias won't work > > > > > > > > unless the responder FQDN lookups are lowercased as well. > > > > > > > > > > > > > > > > I was wondering a bit why did the lookups for users on IPA > > > > > > > > clients > > > > > > > > (fetched with extop) work and it turns out we matched their name > > > > > > > > attribute, not alias. This is how the user entry looks now with > > > > > > > > git > > > > > > > > HEAD: > > > > > > > > > > > > > > > > dn: > > > > > > > > name=administra...@win.example.com,cn=users,cn=WIN.EXAMPLE.COM,cn=sysdb > > > > > > > > name: administra...@win.example.com > > > > > > > > nameAlias: administra...@win.example.com > > > > > > > > > > > > > > > > so the nameAlias can only be matched with lowercased sssd > > > > > > > > domain, in my > > > > > > > > case, the name attribute is matched. IIRC the reason even the > > > > > > > > name is > > > > > > > > lowercased and not original is a bug in winbind we tried to work > > > > > > > > around.. > > > > > > > > > > > > > > > > In IPA server mode the same user entry looks like this with git > > > > > > > > HEAD: > > > > > > > > > > > > > > > > dn: > > > > > > > > name=administra...@win.example.com,cn=users,cn=WIN.EXAMPLE.COM,cn=sysdb > > > > > > > > name: administra...@win.example.com > > > > > > > > nameAlias: administra...@win.example.com > > > > > > > > > > > > > > > > So here the nameAlias is matched by the responder. > > > > > > > > > > > > > > > > The patches changed that to: > > > > > > > > dn: > > > > > > > > name=administra...@win.example.com,cn=users,cn=WIN.EXAMPLE.COM,cn=sysdb > > > > > > > > name: administra...@win.example.com > > > > > > > > nameAlias: administra...@win.example.com > > > > > > > > > > > > > > > > So neither name nor alias matched. > > > > > > > > > > > > > > > > I'm not sure what the best way to fix the inconsistency would > > > > > > > > be. I > > > > > > > > think the way subdomain users are stored with AD backend makes > > > > > > > > more > > > > > > > > sense to me because the original name as stored on the server > > > > > > > > is kept in > > > > > > > > the name attribute and the alias is matched on lookups. But the > > > > > > > > way > > > > > > > > extop users are stored might be fine as well, we don't seem to > > > > > > > > be using > > > > > > > > the original version of name at the moment. > > > > > > > > > > > > > > The users coming from extdom are always lower-cased because > > > > > > > winbind will > > > > > > > return them in lower-case most of the time and winbind was > > > > > > > feeding the > > > > > > > extdom plugin before we had ipa-server-mode. I say 'most of the > > > > > > > time' > > > > > > > because there was a bug in some versions of winbind where the > > > > > > > original > > > > > > > name was returned. Since the information from the extdom plugin > > > > > > > have to > > > > > > > be extended with the group information from the PAC I thought the > > > > > > > easiest way to find the right user is to always use lower-case > > > > > > > names > > > > > > > here which will always work because AD is case-insensitve. But if > > > > > > > we can > > > > > > > make sure that nameAlias is handled consistently I do not have any > > > > > > > objections to use the name which is returned from the server > > > > > > > without > > > > > > > making it lower-case explicitly. > > > > > > > > > > > > OK, I'm fine with this, as I said above, the name is not really > > > > > > important but the way we treated the nameAlias with extdom users > > > > > > (where > > > > > > it never matched) was strange to me. > > > > > > > > > > > > > > > > > > > > About the case of the domain in nameAlias. As long as nameAlias > > > > > > > is used > > > > > > > only inside the sssd process the case does not matter much > > > > > > > because I > > > > > > > think the domain name is always taken from the name member of the > > > > > > > sss_domain_info struct (and if it is not the case it can easily > > > > > > > be converted). Nevertheless I find it a bit counter intuitive to > > > > > > > have a > > > > > > > mixed cased name in nameAlias to search for a case-insensitive > > > > > > > name so > > > > > > > I would prefer to change the responder. Since > > > > > > > sss_parse_name_for_domains() make case-insensitive comparison of > > > > > > > the > > > > > > > domain name as well we do not have a chance to support > > > > > > > case-sensitive > > > > > > > domain names. > > > > > > > > > > > > Thanks for the domain name investigation. > > > > > > > > > > > > So the proposal is to change the responder searches to look for > > > > > > case-insensitive nameAlias? If so, don't we need some sysdb upgrade > > > > > > to > > > > > > lowercase the existing mixed case aliases? > > > > > > > > > > good point, I think we should keep the old filter as a fallback to > > > > > avoid > > > > > a sysdb upgrade for the time being. Maybe it can be folded into an > > > > > other > > > > > major sysdb upgrade later and then the fallback can be removed. > > > > > > > > Yes, Michal is working on sysdb upgrade anyway, that might be a good > > > > time to do two changes. > > > > > > please find attached the patch set with an additional fifth patch which > > > adds an all-lower-cased string to the search filter where needed. > > > > > > Please note that the original issue was that sss_cache was not able to > > > find some entries from sub-domains. If you think the current patch set > > > is too much for a minor release and the original issue should be fixed > > > differently, let me know. Nevertheless I think not having a > > > all-lower-cased version of the name in nameAlias for case-insensitive > > > searches is a bug which has to be fixed. > > > > I think this is the right approach and I agree with these patches in > > sssd-1-11. > > > > Regular lookups for both users and groups from domains and subdomains > > work fine, I haven't found any issues there. I only found one issue in > > sss_cache where the filter for a subdomain user would contain the domain > > name in original case, but the alias can already be lowercased. > > The attached patch set should handle this as well. I modified > update_filter() for this and tried to remove some redundancy there. I > also added sss_filter_sanitize_for_dom() to clean the input. > > bye, > Sumit
Thanks for the patience. I tested the usual NSS and PAM operations as well as retrieving aliases stored with the old format using the patched code and everythign went well. ACK to all patches. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
