URL: https://github.com/SSSD/sssd/pull/5251 Author: pbrezina Title: #5251: [wip] subdomains: allow to inherit case_sensitive=Preserving Action: opened
PR body: """ The first patch is just man page update to reflect current state.
I think it makes sense to be able to show subdomain names in their original casing. Patches 2-3 make it work for AD provider.
Patch 4 makes it work for IPA provider. There is apparantely a bug in winbind, but there is no link the any bugzilla so I do not know if it was already fixed. The commit is four years old. This patch requires case_sensitive=Preserving to be set also on the server, otherwise it does not work. It can be enabled without the server setting but we need to make nss_cmd_getpwnam_ex (and other _ex commands) to always return case preserving name. So before I continue the work I'd like to ask @sumit-bose if we can do it like this.
Resolves: https://github.com/SSSD/sssd/issues/5250 """
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5251/head:pr5251 git checkout pr5251
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: [wip] subdomains: allow to inherit case_sensitive=Preserving
pbrezina commented: """ @sumit-bose bump """
See the full comment at https://github.com/SSSD/sssd/pull/5251#issuecomment-678202940
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: [wip] subdomains: allow to inherit case_sensitive=Preserving
sumit-bose commented: """ Hi,
about the winbind comments, they are coming from a time where the extdom plugin on the IPA servers was using winbind for the SID-to-name (and reverse) lookups. This was changed 7 years ago, see https://pagure.io/freeipa/issue/3637 for details. However, IPA servers on RHEL6 might still be affected.
Would it be possible to check in `s2n_response_to_attrs()` is `Preserving` is requested and keep the lower-case version if not? Since this feature requires that `Preserving` is set on the server side as well this more or less implies that it cannot be used wiht very old versions of IPA.
Do you think it would be worth to ask IPA team if they can add a ipa-config option to switch `Preserving` on to make the configuration more easy and consistent?
bye, Sumit """
See the full comment at https://github.com/SSSD/sssd/pull/5251#issuecomment-684758361
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: [wip] subdomains: allow to inherit case_sensitive=Preserving
pbrezina commented: """ RHEL-6 servers should not be affected since it requires changes on both client and server side SSSD. So RHEL-6 servers will just reply with lowercased names (since the client will not be updated there) and that's what the client will use. Thanks for the clarification, I'll see what we can do about it. """
See the full comment at https://github.com/SSSD/sssd/pull/5251#issuecomment-684802542
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: [wip] subdomains: allow to inherit case_sensitive=Preserving
sumit-bose commented: """
RHEL-6 servers should not be affected since it requires changes on both client and server side SSSD. So RHEL-6 servers will just reply with lowercased names (since the client will not be updated there) and that's what the client will use. Thanks for the clarification, I'll see what we can do about it.
Hi,
I think it is a bit different. On RHEL-6 there is no SSSD ipa-server mode since all lookups in AD where still done by winbind. And iirc this unconditional lower-casing was added becasue depending on the type of operation winbind might have returned an all-lowercase name or the original spelling and SSSD at this time got confused and considered those as different users and tried to add them twice. Hence the ad-hoc fix to unconditionally lower-case the names.
I'm not sure if current winbind on RHEL-6 still acts in the same way or if a recent version of SSSD on an IPA client would still have an issue if a RHEL-6 IPA server would still return the name of the same user sometimes all lower-case and other times in the original spelling with maybe some upper-case characters. I hope that using a RHEL-8 IPA client with a RHEL-6 IPA server will be as rare as a proton decay, but who knows.
bye, Sumit """
See the full comment at https://github.com/SSSD/sssd/pull/5251#issuecomment-685327536
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: [wip] subdomains: allow to inherit case_sensitive=Preserving
Label: +Deferred
URL: https://github.com/SSSD/sssd/pull/5251 Author: pbrezina Title: #5251: [wip] subdomains: allow to inherit case_sensitive=Preserving Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5251/head:pr5251 git checkout pr5251
URL: https://github.com/SSSD/sssd/pull/5251 Author: pbrezina Title: #5251: subdomains: allow to inherit case_sensitive=Preserving Action: edited
Changed field: title Original value: """ [wip] subdomains: allow to inherit case_sensitive=Preserving """
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: subdomains: allow to inherit case_sensitive=Preserving
pbrezina commented: """ See updated patches. I added `s2n_response_to_attrs_fqname()` that return lowercased name for oldest protocol version which can use winbind underneath. Newer protocols use ipa server mode which returns lowercased name (without these patches) and original name (with these patches applied on the server side). `case_sensitive=Preserving` now works for AD provider as well as IPA provider without the need to set anything on the server side. SSSD needs to be updated on the server side as well though. """
See the full comment at https://github.com/SSSD/sssd/pull/5251#issuecomment-726036219
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: subdomains: allow to inherit case_sensitive=Preserving
Label: +Waiting for review
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: subdomains: allow to inherit case_sensitive=Preserving
Label: -Deferred
URL: https://github.com/SSSD/sssd/pull/5251 Author: pbrezina Title: #5251: subdomains: allow to inherit case_sensitive=Preserving Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5251/head:pr5251 git checkout pr5251
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: subdomains: allow to inherit case_sensitive=Preserving
pbrezina commented: """ Rebased on top of master branch. """
See the full comment at https://github.com/SSSD/sssd/pull/5251#issuecomment-762142205
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: subdomains: allow to inherit case_sensitive=Preserving
pbrezina commented: """ @SSSD/developers can some of you review these patches? It would be good to include this in the next release. """
See the full comment at https://github.com/SSSD/sssd/pull/5251#issuecomment-762145478
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: subdomains: allow to inherit case_sensitive=Preserving
sumit-bose commented: """ Hi,
thanks for the rebase. I'm not sure I like the last patch. Why would you want to set `case_sensitive=Preserving` only on some clients and especially not on the server? Wouldn't this cause confusion? I would even say that it the SSSD side is fixed it might be better to ask FreeIPA to add a ipa config option to set `case_sensitive` for the whole domain and the SSSD use this new option.
Addtionally, without any flags set `SSS_NSS_GETPWNAM_EX` should return the same result as `SSS_NSS_GETPWNAM`, so adding `Preserving` flag would be a solution, but this would require additional changes on the IPA side.
bye, Sumit """
See the full comment at https://github.com/SSSD/sssd/pull/5251#issuecomment-762369175
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: subdomains: allow to inherit case_sensitive=Preserving
abbra commented: """ For what it worth, IPA always lowcases user and group names when storing in LDAP, there is no way to avoid it. """
See the full comment at https://github.com/SSSD/sssd/pull/5251#issuecomment-762395780
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: subdomains: allow to inherit case_sensitive=Preserving
pbrezina commented: """
Hi,
thanks for the rebase. I'm not sure I like the last patch. Why would you want to set `case_sensitive=Preserving` only on some clients and especially not on the server? Wouldn't this cause confusion? I would even say that it the SSSD side is fixed it might be better to ask FreeIPA to add a ipa config option to set `case_sensitive` for the whole domain and the SSSD use this new option.
Do you suggest to add case_sensitive option in IPA similar to what we do with e.g. domain_resolution_order?
Addtionally, without any flags set `SSS_NSS_GETPWNAM_EX` should return the same result as `SSS_NSS_GETPWNAM`, so adding `Preserving` flag would be a solution, but this would require additional changes on the IPA side.
Given IPA lower case what it gets then why it needs to return the same result?
If you don't agree with the patch then I suggest to enable this for AD only for now and see what we can do for IPA later (the customer behind this requests it for AD provider). """
See the full comment at https://github.com/SSSD/sssd/pull/5251#issuecomment-763509202
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: subdomains: allow to inherit case_sensitive=Preserving
sumit-bose commented: """
Hi, thanks for the rebase. I'm not sure I like the last patch. Why would you want to set `case_sensitive=Preserving` only on some clients and especially not on the server? Wouldn't this cause confusion? I would even say that it the SSSD side is fixed it might be better to ask FreeIPA to add a ipa config option to set `case_sensitive` for the whole domain and the SSSD use this new option.
Do you suggest to add case_sensitive option in IPA similar to what we do with e.g. domain_resolution_order?
Yes, this would be the long term idea. However, in the meantime I think it is ok to require to set `case_sensitive=Preserving` on the IPA servers as well if you want to use it on the client and hence the last patch is not needed.
Addtionally, without any flags set `SSS_NSS_GETPWNAM_EX` should return the same result as `SSS_NSS_GETPWNAM`, so adding `Preserving` flag would be a solution, but this would require additional changes on the IPA side.
Given IPA lower case what it gets then why it needs to return the same result?
I think Alexander's comment was about IPA user and groups which are always lower case, AD users are not stored in LDAP.
If you don't agree with the patch then I suggest to enable this for AD only for now and see what we can do for IPA later (the customer behind this requests it for AD provider).
See above. If I understand it correctly by setting `case_sensitive=Preserving` in sssd.conf on the IPA servers the last patch is not needed, SSSD has to be updated anyways to make sure the option is inherited by the sub-domains (trusted AD domains).
bye, Sumit
"""
See the full comment at https://github.com/SSSD/sssd/pull/5251#issuecomment-763797708
URL: https://github.com/SSSD/sssd/pull/5251 Author: pbrezina Title: #5251: subdomains: allow to inherit case_sensitive=Preserving Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5251/head:pr5251 git checkout pr5251
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: subdomains: allow to inherit case_sensitive=Preserving
pbrezina commented: """ Ok, please see new patch set. I dropped last two patches, updated man page and release notes. """
See the full comment at https://github.com/SSSD/sssd/pull/5251#issuecomment-766729777
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: subdomains: allow to inherit case_sensitive=Preserving
sumit-bose commented: """ Hi,
thanks, I tested with AD and IPA with trust and the patches are working as expected, CI failures are unrelated. ACK.
bye, Sumit """
See the full comment at https://github.com/SSSD/sssd/pull/5251#issuecomment-766925648
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: subdomains: allow to inherit case_sensitive=Preserving
Label: -Waiting for review
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: subdomains: allow to inherit case_sensitive=Preserving
Label: +Accepted
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: subdomains: allow to inherit case_sensitive=Preserving
Label: +Ready to push
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: subdomains: allow to inherit case_sensitive=Preserving
pbrezina commented: """ Pushed PR: https://github.com/SSSD/sssd/pull/5251
* `master` * 944c47e27c4e5a01816bb897efb33c1825a64078 - man: update case_sensitive documentation to reflect changes for subdomains * f6bb31af5b5c6605f33377f0750c85d0ff722385 - subdomains: allow to inherit case_sensitive=Preserving for IPA * f2655950430a25abc6b74761b2872004e3258893 - subdomains: allow to set case_sensitive=Preserving in subdomain section * 12eb04b2fd698245d653c9166af29949d337b3be - subdomains: allow to inherit case_sensitive=Preserving * 0eb0281c9620086cda0e814532398e5a9a4b7092 - man: add auto_private_groups to subdomain_inherit
"""
See the full comment at https://github.com/SSSD/sssd/pull/5251#issuecomment-767465779
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: subdomains: allow to inherit case_sensitive=Preserving
Label: +Pushed
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: subdomains: allow to inherit case_sensitive=Preserving
Label: -Ready to push
URL: https://github.com/SSSD/sssd/pull/5251 Title: #5251: subdomains: allow to inherit case_sensitive=Preserving
Label: -Accepted
URL: https://github.com/SSSD/sssd/pull/5251 Author: pbrezina Title: #5251: subdomains: allow to inherit case_sensitive=Preserving Action: closed
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5251/head:pr5251 git checkout pr5251
sssd-devel@lists.fedorahosted.org