On Wed, Dec 04, 2013 at 10:42:52AM +0100, Sumit Bose wrote:
> On Tue, Dec 03, 2013 at 02:01:27PM +0100, Jakub Hrozek wrote:
> > On Thu, Nov 28, 2013 at 05:55:44PM +0100, Sumit Bose wrote:
> > > On Wed, Nov 27, 2013 at 02:50:35PM +0100, Jakub Hrozek wrote:
> > > > On Tue, Nov 26, 2013 at 11:51:41AM +0100, Sumit Bose wrote:
> > > > > Hi,
> > > > >
> > > > > Steeve found some issues when testing sss_cache with sub-domain
users.
> > > > > This was originally fixed in
https://fedorahosted.org/sssd/ticket/1741
> > > > > but I guess recent changes have broken it again.
> > > > >
> > > > > I have tested the patches with users and groups. It would be
nice is
> > > > > someone with a suitable environment can test them for the other
object
> > > > > types as well.
> > > > >
> > > > > bye,
> > > > > Sumit
> > > >
> > > > Hi,
> > > >
> > > > during testing I found out that there is a difference in how we
store
> > > > the nameAlias attribute for subdomain users retrieved with the
exended
> > > > operation to IPA and subdomain users that are stored with the LDAP
> > > > provider.
> > > >
> > > > The IPA subdomain users have lowercase the whole alias (so typically
> > > > user(a)windows.domain) while the LDAP users have only the name
component
> > > > lowercased (user(a)WINDOWS.DOMAIN). Currently sss_cache only works with
he
> > > > latter.
> > > >
> > > > As discussed on IRC, we should pick on scheme and use it, ideally
with
> > > > some helper function.
> > >
> > > I added two new patches to fix this. 0003 adds a new call to add a lower
> > > case alias name to a sysdb_attrs struct and 0004 replace current code
> > > with the new call.
> > >
> > > bye,
> > > Sumit
> >
> > After testing the patches I think the issue is a bit more complex. I
> > hope I can explain the problem clearly. We can only consider subdomain
> > users and hence FQDN lookups for the problem.
> >
> > In the responder code, the lookup will be performed for user@DOMAIN_NAME,
> > where DOMAIN_NAME is exactly the same case as domain name in the confdb.
> > So unfortunately lowercasing the whole alias won't work
> > unless the responder FQDN lookups are lowercased as well.
> >
> > I was wondering a bit why did the lookups for users on IPA clients
> > (fetched with extop) work and it turns out we matched their name
> > attribute, not alias. This is how the user entry looks now with git
> > HEAD:
> >
> > dn: name=administrator(a)WIN.EXAMPLE.COM,cn=users,cn=WIN.EXAMPLE.COM,cn=sysdb
> > name: administrator(a)WIN.EXAMPLE.COM
> > nameAlias: administrator(a)win.example.com
> >
> > so the nameAlias can only be matched with lowercased sssd domain, in my
> > case, the name attribute is matched. IIRC the reason even the name is
> > lowercased and not original is a bug in winbind we tried to work
> > around..
> >
> > In IPA server mode the same user entry looks like this with git HEAD:
> >
> > dn: name=Administrator(a)WIN.EXAMPLE.COM,cn=users,cn=WIN.EXAMPLE.COM,cn=sysdb
> > name: Administrator(a)WIN.EXAMPLE.COM
> > nameAlias: administrator(a)WIN.EXAMPLE.COM
> >
> > So here the nameAlias is matched by the responder.
> >
> > The patches changed that to:
> > dn: name=Administrator(a)WIN.EXAMPLE.COM,cn=users,cn=WIN.EXAMPLE.COM,cn=sysdb
> > name: Administrator(a)WIN.EXAMPLE.COM
> > nameAlias: administrator(a)win.example.com
> >
> > So neither name nor alias matched.
> >
> > I'm not sure what the best way to fix the inconsistency would be. I
> > think the way subdomain users are stored with AD backend makes more
> > sense to me because the original name as stored on the server is kept in
> > the name attribute and the alias is matched on lookups. But the way
> > extop users are stored might be fine as well, we don't seem to be using
> > the original version of name at the moment.
>
> The users coming from extdom are always lower-cased because winbind will
> return them in lower-case most of the time and winbind was feeding the
> extdom plugin before we had ipa-server-mode. I say 'most of the time'
> because there was a bug in some versions of winbind where the original
> name was returned. Since the information from the extdom plugin have to
> be extended with the group information from the PAC I thought the
> easiest way to find the right user is to always use lower-case names
> here which will always work because AD is case-insensitve. But if we can
> make sure that nameAlias is handled consistently I do not have any
> objections to use the name which is returned from the server without
> making it lower-case explicitly.
OK, I'm fine with this, as I said above, the name is not really
important but the way we treated the nameAlias with extdom users (where
it never matched) was strange to me.
>
> About the case of the domain in nameAlias. As long as nameAlias is used
> only inside the sssd process the case does not matter much because I
> think the domain name is always taken from the name member of the
> sss_domain_info struct (and if it is not the case it can easily
> be converted). Nevertheless I find it a bit counter intuitive to have a
> mixed cased name in nameAlias to search for a case-insensitive name so
> I would prefer to change the responder. Since
> sss_parse_name_for_domains() make case-insensitive comparison of the
> domain name as well we do not have a chance to support case-sensitive
> domain names.
Thanks for the domain name investigation.
So the proposal is to change the responder searches to look for
case-insensitive nameAlias? If so, don't we need some sysdb upgrade to
lowercase the existing mixed case aliases?
good point, I think we should keep the old filter as a fallback to avoid
a sysdb upgrade for the time being. Maybe it can be folded into an other
major sysdb upgrade later and then the fallback can be removed.
bye,
Sumit
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel