Domain substitution in fallback_homedir for subdomains

[mastersin]

Default domain substitution in fallback_homedir is set by "%d". For parent domain it substitutes as REALM in uppercase, but for subdomain in sssd-ad, it on the contrary substitutes as domain name in lowercase. It looks like this is a bug as we doesn't get the same behavior for the same parameter.

For example, for administrator in parent domain we got /home/DOMAIN.ALT/administrator, but for administrator in subdomain - /home/domain2.alt/administrator.

# id administrator
uid=1052000500(administrator) gid=1052000513(domain users) groups=1052000513(domain users),1052000512(domain admins),1052000520(group policy creator owners),1052000572(denied rodc password replication group),1052000518(schema admins),1052000519(enterprise admins),100(users),80(cdwriter),22(cdrom),81(audio),470(video),19(proc),83(radio),465(camera),71(floppy),498(xgrp),499(scanner),14(uucp),481(vboxusers),467(fuse),101(localadmins),10(wheel)

# getent passwd administrator
administrator:*:1052000500:1052000513:Administrator:/home/DOMAIN.ALT/administrator:/bin/bash
# getent passwd DOMAIN\\administrator
administrator:*:1052000500:1052000513:Administrator:/home/DOMAIN.ALT/administrator:/bin/bash

# getent passwd DOMAIN2\\administrator
administrator@domain2.alt:*:1315800500:1315800500:Administrator:/home/domain2.alt/administrator:/bin/bash

# ls /home/
DOMAIN.ALT  domain2.alt  test
# grep domain/DOMAIN -A1000 /etc/sssd/sssd.conf 
[domain/DOMAIN.ALT]
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
debug_level = 0
; cache_credentials = false
ad_gpo_ignore_unreadable = true
access_provider = ad
ad_gpo_access_control = permissive
debug_level = 3
krb5_use_subdomain_realm = true

[domain/DOMAIN.ALT/DOMAIN2.ALT]

[alexey-tikhonov]

Hi @sidecontrol,

could you please try to re-produce it?

[alexey-tikhonov]

This looks at least like inconsistent behavior. We could provide %d/%D to allow explicit conversion.

[mastersin]

Ok. I will try first on the available versions, on the updated ones.

[danlavu]

It's because the name in the domain section is capitalized.

[sssd]
domains = domain-2lc7.com
config_file_version = 2
services = nss, pam

[domain/domain-2lc7.com]   <<<<<<<<<<<<<<< HERE
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = DOMAIN-2LC7.COM
realmd_tags = manages-system joined-with-adcli 
id_provider = ad
fallback_homedir = /home/%d/%u
ad_domain = domain-2lc7.com
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
krb5_use_subdomain_realm = true

[root@client033 ~]# getent passwd -s sss CHILD-2LC7.DOMAIN-2LC7.COM\\administrator
administrator@child-2lc7.domain-2lc7.com:*:1402600500:1402600500:Administrator:/home/child-2lc7.domain-2lc7.com/administrator:/bin/bash

[root@client033 ~]# getent passwd -s sss DOMAIN-2LC7.COM\\administrator
administrator@domain-2lc7.com:*:406800500:406800513:Administrator:/home/domain-2lc7.com/administrator:/bin/bash

=============================================

[sssd]
domains = domain-2lc7.com
config_file_version = 2
services = nss, pam

[domain/DOMAIN-2LC7.COM]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = DOMAIN-2LC7.COM
realmd_tags = manages-system joined-with-adcli 
id_provider = ad
fallback_homedir = /home/%d/%u
ad_domain = domain-2lc7.com
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
krb5_use_subdomain_realm = true

[root@client033 ~]# getent passwd -s sss DOMAIN-2LC7.COM\\administrator
administrator@DOMAIN-2LC7.COM:*:406800500:406800513:Administrator:/home/DOMAIN-2LC7.COM/administrator:/bin/bash

[root@client033 ~]# getent passwd -s sss CHILD-2LC7.DOMAIN-2LC7.COM\\administrator
administrator@child-2lc7.domain-2lc7.com:*:1402600500:1402600500:Administrator:/home/child-2lc7.domain-2lc7.com/administrator:/bin/bash

sssd-2.9.1-2.el9.x86_64