search

SSSD / sssd

A daemon to manage identity, authentication and authorization for centrally-managed systems.
https://sssd.io
GNU General Public License v3.0
596 stars 246 forks source link

full_name_format and default_domain_suffix breaks supplemental AD trust groups #3879

Closed sssd-bot closed 4 years ago

sssd-bot commented 4 years ago

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2838

Running IPA (4.1.0-18.sl7_1.4) with an AD trust. IPA domain is nwra.com, AD domain is ad.nwra.com. All users are in AD. Trying to use:

[sssd]
default_domain_suffix = ad.nwra.com
full_name_format = %1$s

on the clients to strip the domain from user names so that users do not have to concern themselves with domain info. This appears to break supplemental groups. With just default_domain_suffix I have:

# id orion
uid=22603(orion@ad.nwra.com) gid=22603(orion@ad.nwra.com) groups=22603(orion@ad.nwra.com),27124(andreas admins@ad.nwra.com),20512(domain admins@ad.nwra.com),20513(domain users@ad.nwra.com),24701(boulder@ad.nwra.com),24712(it@ad.nwra.com),24715(nwra-users@ad.nwra.com),27608(heimdall users@ad.nwra.com),24703(pirep rd users@ad.nwra.com),24714(wireless access@ad.nwra.com)

But with full_name_format = %1$s I get:

# id orion
uid=22603(orion) gid=22603(orion) groups=22603(orion)
}}} 
Client version is sssd-1.13.1-2.fc23

Without full_name_format, sssd_nwra.com.log shows:

[sssd[be[nwra.com]]] [get_groups_dns] (0x0400): Root domain uses fully-qualified names, objects might not be correctly added to groups with short names.
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [nwra-users@ad.nwra.com][name=nwra-users@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [orion@ad.nwra.com][name=orion@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [boulder@ad.nwra.com][name=boulder@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [heimdall users@ad.nwra.com][name=heimdall users@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [domain admins@ad.nwra.com][name=domain admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [domain users@ad.nwra.com][name=domain users@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [andreas admins@ad.nwra.com][name=andreas admins@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [it@ad.nwra.com][name=it@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [pirep rd users@ad.nwra.com][name=pirep rd users@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [wireless access@ad.nwra.com][name=wireless access@ad.nwra.com,cn=groups,cn=ad.nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x0400): Root domain uses fully-qualified names, objects might not be correctly added to groups with short names.
[sssd[be[nwra.com]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for orion@ad.nwra.com

[sssd[be[nwra.com]]] [ipa_s2n_save_objects] (0x0400): Processing group andreas admins@ad.nwra.com
[sssd[be[nwra.com]]] [process_members] (0x4000): Adding member [orion@ad.nwra.com][name=orion@ad.nwra.com,cn=users,cn=ad.nwra.com,cn=sysdb]

With it:

[sssd[be[nwra.com]]] [get_groups_dns] (0x0400): Root domain uses fully-qualified names, objects might not be correctly added to groups with short names.
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [domain admins][name=domain admins,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [heimdall users][name=heimdall users,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [nwra-users][name=nwra-users,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [andreas admins][name=andreas admins,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [domain users][name=domain users,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [it][name=it,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [wireless access][name=wireless access,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [orion][name=orion,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [boulder][name=boulder,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x4000): Added [pirep rd users][name=pirep rd users,cn=groups,cn=nwra.com,cn=sysdb].
[sssd[be[nwra.com]]] [get_groups_dns] (0x0400): Root domain uses fully-qualified names, objects might not be correctly added to groups with short names.
[sssd[be[nwra.com]]] [ipa_s2n_save_objects] (0x2000): Updating memberships for orion

[sssd[be[nwra.com]]] [ipa_s2n_save_objects] (0x0400): Processing group andreas admins
[sssd[be[nwra.com]]] [process_members] (0x4000): Adding ghost member [orion@ad.nwra.com]

Looks like in the latter the groups members still have @ad.nwra.com so orion@ad.nwra.com gets added as a ghost member rather than a proper one?

Comments

Comment from orion at 2015-10-15 00:56:06

That seems to be the right track, as "getent group nwra-users" returns an entry with the @ad.nwra.com suffix on all of the members. Presumably that should get stripped as well.

Comment from jhrozek at 2015-10-16 11:32:23

Thank you, I can reproduce now.

owner: somebody => jhrozek status: new => assigned

Comment from jhrozek at 2015-10-16 11:49:30

The issue is that the subdomain users are (to avoid conflicts) normally saved with fully qualified names.

But unfortunately, the full_name_format also changes how the usernames are stored in the cache and the subdomains code just doesn't expect non-qualified usernames in the cache.

Since we already have first version of the patches that only use full_name_format for presentation of the data, not storing them, I would prefer to solve this ticket along with #2011

Comment from orion at 2015-10-16 16:57:46

That sounds good. I was fairly surprised to see sssd store non-qualified names.

Comment from jhrozek at 2015-10-22 17:36:59

I'm moving the ticket to the same milestone that contains the sysdb refactoring.

milestone: NEEDS_TRIAGE => SSSD 1.14 alpha

Comment from jhrozek at 2015-12-03 22:18:25

Fields changed

rhbz: => todo

Comment from jhrozek at 2015-12-10 11:55:43

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1287209 (Red Hat Enterprise Linux 7)

rhbz: todo => [https://bugzilla.redhat.com/show_bug.cgi?id=1287209 1287209]

Comment from jhrozek at 2016-06-20 12:01:16

I have the sysdb refactoring in my local branch, but I need to release 1.14 alpha today, so moving to Beta.

milestone: SSSD 1.14 alpha => SSSD 1.14 beta

Comment from jhrozek at 2016-06-27 10:56:09

Still needs review and the new sysdb needs db version upgrade.

milestone: SSSD 1.14 beta => SSSD 1.14.0

Comment from jhrozek at 2016-07-01 16:25:30

Fields changed

patch: 0 => 1

Comment from jhrozek at 2016-07-07 12:51:20

Fixed in e6b6b9f..c88b63b

Comment from jhrozek at 2016-07-07 12:51:36

Fields changed

resolution: => fixed status: assigned => closed

Comment from orion at 2017-02-24 14:44:40

Metadata Update from @orion:

lerroot commented 2 years ago

Hi-

Apologies, but this does not appear to be fixed.
Name : sssd Arch : x86_64 Version : 1.16.5 Release : 10.el7_9.13

on Centos 7.9 (3.10.0-1160.59.1.el7.x86_64). auth against AD server.

setting full_name_format = %1$s seems to be truncating all supplemental groups just as OP noted years ago. for me, it occurs only with users from domains other than primary domain.

Unlike OP, I am not setting default_domain_suffix and I have set use_fully_qualified_names = False Only one domain (primary) set up in sssd.conf

with full_name_format = %1$s in sssd.conf, command id username>@<domain specifying domains other than primary domain outputs only uid= gid= groups= with single entry for each. with default full_name_format, full supplemental group list is present.

Please advise.

Yours, Larry Root

sumit-bose commented 2 years ago

Hi,

are you using FreeIPA as well or is your client directly joinend into an AD domain? Have you tried if it makes a difference if you only use full_name_format = %1$s and not set use_fully_qualified_names = False? Can you share your full (sanitized) sssd.conf?

In general it would be better to open a new ticket and add a reference to an older ticket if needed.

bye, Sumit

lerroot commented 2 years ago

Hi-

No FreeIPA- client is directly joined.
Using full_name_format = %1$s and setting use_fully_qualified_names = True causes both primary and secondary domain users to return uid= gid= groups= with single entry for each. with default full_name_format, full supplemental group list is present from all trusted domains, not just the primary domain.

Using full_name_format = %1$s and setting use_fully_qualified_names = False causes only the secondary domain users to return uid= gid= groups= with single entry for each. primary domain users still show full supplemental group listing from all trusted domains. with default full_name_format, full supplemental group list from all trusted domains is present for all users.

I will redact and post sssd.conf. It's a single-domain setup. Other domains are in same forest/trusted. Should I be realm-joining all domains separately on a single client host? I've only realm-joined the primary domain set out in sssd.conf. It was my understanding that joining all domains separately on a single client host was only needed for domains in different forests.

Yours, Larry Root

sumit-bose commented 2 years ago

I will redact and post sssd.conf. It's a single-domain setup. Other domains are in same forest/trusted. Should I be realm-joining all domains separately on a single client host? I've only realm-joined the primary domain set out in sssd.conf. It was my understanding that joining all domains separately on a single client host was only needed for domains in different forests.

Hi,

just joining one domain is sufficient if there are a two-way trusts between the domains in the forest.

bye, Sumit

lerroot commented 2 years ago

Hi-

Here's my sssd.conf

[sssd] domains = dom1.ad.example.com config_file_version = 2 services = nss, pam full_name_format = %1$s

[domain/dom1.ad.example.com] ad_server = server1.dom1.ad.example.com,server2.dom1.ad.example.com,server3.dom1.ad.example.com,server4.dom1.ad.example.com,server5.dom1.ad.example.com ad_enabled_domains = dom1.ad.example.com,dom2.ad.example.com,dom3.ad.example.com krb5_realm = DOM1.AD.EXAMPLE.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/tcsh ldap_id_mapping = True use_fully_qualified_names = False override_homedir = /home/users/%u access_provider = ad

As I noted above: When I set full_name_format = %1$s and use_fully_qualified_names = False Supplemental groups fail to resolve (id command) for users in dom2.ad.example.com,dom3.ad.example.com

When I set full_name_format = %1$s and use_fully_qualified_names = True Supplemental groups fail to resolve (id command) for users in all three domains (dom1.ad.example.com,dom2.ad.example.com,dom3.ad.example.com)

Not sure, but it seems like full_name_format = %1$s is still broken in a similar manner. Please let me know what you think. Thanks again! Yours, Larry Root

sumit-bose commented 2 years ago

Hi,

thanks for sending your sssd.conf. Please use use_fully_qualified_names = False and try to add

domain_resolution_order = dom1.ad.example.com,dom2.ad.example.com,dom3.ad.example.com

to the [sssd] section of sssd.conf, restart SSSD and check if secondary groups are now resolved.

HTH

bye, Sumit

lerroot commented 2 years ago

Hi-

Excellent- it works- thank you very much! Any caveats? Also- why was that parameter domain_resolution_order = required here to resolve secondary groups when parameter full_name_format = %1$s is set ?

Thanks again!

Yours, Larry Root

sumit-bose commented 2 years ago

Hi-

Excellent- it works- thank you very much! Any caveats?

Hi,

no, using domain_resolution_order is basically expected in this use case because ...

Also- why was that parameter domain_resolution_order = required here to resolve secondary groups when parameter full_name_format = %1$s is set ?

when using short names, especially with AD, there are many duplicated user and group name, e.g. Administrator, Domain Users etc. To add at least a bit of determinism to domain_resolution_order parameter was added. Please note that you might see still unexpected output when mixing lookups with fully-qualified names (which of course by-pass the list from domain_resolution_order) and short names. To cut it short, I would recommend to output fully-qualified names in such an environment, but I understand that this might not always be possible.

HTH

bye, Sumit

Thanks again!

Yours, Larry Root

lerroot commented 2 years ago

Hi-

Thank you so much! I had tried -almost- everything. I need to reconsider outputting fully-qualified names for both domains. Thanks again!

Yours, Larry Root