On Thu, Feb 01, 2018 at 01:03:24PM -0800, Richard Sharpe wrote:
We have a customer who seems to do what RHEL does with respects users
1. User A has a SID of S-1-5-21-x-y-z-1234
2. They also have a primary group SID of S-1-5-21-x-y-x-1235 (usually adjacent).
3. They are also using RFC2703bis and they have the UID property set
to 21234 and the GID property set to 21234.
Now, when the Samba idmap_sss.c calls sss_nss_getsidbyid looking for
the SID associated with the GID it often gets back the SID associated
with the UID, probably because we just asked for the SID associated
with the UID.
Is there a different function I can call to get both/all? I looked at
the code for sss_nss_getsidbyid and it just calls sss_nss_getyyybyxxx
and that function seems to only hand back the first SID returned.
I'm sorry, I have to admit that this kind of setup didn't came to my
mind when writing those calls. But yes, users and group are coming from
different name spaces on the POSIX side and should be handled
Currently you can only do workarounds. E.g. if the group name differs
from the user name you call getpwuid() and getgrgid() first and then
sss_nss_getsidbyname(). But this would only work if the use names based
on the samAccountName attribute from AD because iirc AD enforces
uniqueness here. If they use a different attribute for the group names
this might not work.
As an alternative, but even more complicated you can make the SID
available via D-Bus/InfoPipe and then lookup user and group by ID.
So it looks like sss_nss_getsidbyuid() and sss_nss_getsidbygid() should
be added to the interface. Would you mind to open a ticket about this on
or do you prefer me doing this?
Also, as an aside, it seems like a bad decision to place fixed CERTs
in the repos because if you need to rebuild the package after the CERT
expires you are SOL.
Yes, makeshift solutions have a long life. I already have a ticket to
generate fresh certificates for each test run
. But only two tests should be hit
by the issue. So, in the worst case they can be disabled:
+diff --git a/Makefile.am b/Makefile.am
+@@ -273,11 +273,9 @@ if HAVE_CMOCKA
+ responder_cache_req-tests \
+ test_sbus_opath \
+ test_fo_srv \
+- pam-srv-tests \
+ test_ipa_subdom_util \
+ test_tools_colondb \
+ test_krb5_wait_queue \
+- test_cert_utils \
+ test_ldap_id_cleanup \
+ test_data_provider_be \
+ test_dp_request_table \
> Richard Sharpe
> sssd-devel mailing list -- sssd-devel(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-devel-leave(a)lists.fedorahosted.org