this patch should fix https://fedorahosted.org/sssd/ticket/1921 . IF
enterprise principals are used the principal returned duing the kinit
process will most certainly look different then the one we guess or read
from LDAP attributes. This means we should always update our cache with
the new value so the e.g. we can properly parse the credential cache.
Initially I have seen validation failures, but currently I cannot
reproduce them anymore.
While I was testing the patches for AD range retrieval disable otpion,
the SSSD started segfaulting in my test environment. The cause was
missing variable in DEBUG macro call.
Attached patch fixes this issue.
Associate Software Engineer
Red Hat Czech
Compilation fail if ./configure is called with arguments
--with-selinux --with-semanage and selinux header files are not
installed. We didn't not catch this in fedora, because krb5-devel depends on
libselinux-devel, but other distribution can package it differently.
And API from selinux.h is not used in file ipa_selinux.c
Apologies, I have been working in ticket #570 and I send for your comments before the send a patch final.
I was reviewing where else needs to change and I find this places
1 - krb5_auth.c ---> tevent_req *krb5_auth_send(
2 - krb5_utils.c ---> char *expand_ccname_template(
3 - ipa_dyndns.c ---> int create_nsupdate_message(
Hi Stef and the list,
I was about to close SSSD upstream ticket #1917 but I wanted to check if
we're all on the same page. Sorry for copying the whole devel list, but
I know there's already been quite some discussions about how to handle
the fully qualified names properly.
Turns out that the fqname format actually is user@domain already, but for
AD domains, the realmd sets it to "domain\user", in particular, sets the
"full_name_format" param to "%2$s\%1$s". I think the whole confusion came
from the fact that the re_expression default in SSSD that parses the
input is different in AD/IPA and the other providers, while the output
full_name_format is currently always the same, so the realmd sets it on
With the recent fixes for discovering the NeBIOS name dynamically (#1468)
and allowing the NetBIOS name in the fq format (#1648), I believe the right
thing now would for realmd to stop setting the "full_name_format" parameter
altogether and name the domain according to the AD domain name (rhbz#960270).
Then the users could simply rely on the default user@domain fqdn output
and set the short\name themselves if needed.
Does it all make sense? Can I simply close #1917 as worksforme? Would
you prefer an upstream or rhbz bug against realmd to stop setting
In commit 46222e5191473f9a46aec581273eb2eef22e23be we removed a very
similar DEBUG message while moving the whole piece of code to the idmap
library. But it turned out that the DEBUG message was useful while
testing the functionality, so this patch adds it back.
While I'm not really fond of a test relying on a presence of a DEBUG
message, I don't see a problem in re-adding it either.
this is the second series of patches for the SID related lookups. With
these 4 patches, together with the ones send before, the FreeIPA WebUI
can do the SID-to-name lookups as described in
The patches currently only support IPA subdomain user, i.e. user and
groups from trusted domains. Upcoming patches will add support for IPA
user and support for the AD provider as well.