On Wed, Dec 18, 2013 at 03:30:41PM +0100, Jakub Hrozek wrote:
> On Mon, Dec 16, 2013 at 03:49:01PM +0100, Sumit Bose wrote:
> > On Thu, Dec 05, 2013 at 01:56:41PM +0100, Jakub Hrozek wrote:
> > > On Wed, Dec 04, 2013 at 05:56:30PM +0100, Sumit Bose wrote:
> > > > On Wed, Dec 04, 2013 at 05:22:06PM +0100, Jakub Hrozek wrote:
> > > > > On Wed, Dec 04, 2013 at 10:42:52AM +0100, Sumit Bose wrote:
> > > > > > On Tue, Dec 03, 2013 at 02:01:27PM +0100, Jakub Hrozek
wrote:
> > > > > > > On Thu, Nov 28, 2013 at 05:55:44PM +0100, Sumit Bose
wrote:
> > > > > > > > On Wed, Nov 27, 2013 at 02:50:35PM +0100, Jakub
Hrozek wrote:
> > > > > > > > > On Tue, Nov 26, 2013 at 11:51:41AM +0100,
Sumit Bose wrote:
> > > > > > > > > > Hi,
> > > > > > > > > >
> > > > > > > > > > Steeve found some issues when testing
sss_cache with sub-domain users.
> > > > > > > > > > This was originally fixed in
https://fedorahosted.org/sssd/ticket/1741
> > > > > > > > > > but I guess recent changes have broken
it again.
> > > > > > > > > >
> > > > > > > > > > I have tested the patches with users
and groups. It would be nice is
> > > > > > > > > > someone with a suitable environment can
test them for the other object
> > > > > > > > > > types as well.
> > > > > > > > > >
> > > > > > > > > > bye,
> > > > > > > > > > Sumit
> > > > > > > > >
> > > > > > > > > Hi,
> > > > > > > > >
> > > > > > > > > during testing I found out that there is a
difference in how we store
> > > > > > > > > the nameAlias attribute for subdomain users
retrieved with the exended
> > > > > > > > > operation to IPA and subdomain users that
are stored with the LDAP
> > > > > > > > > provider.
> > > > > > > > >
> > > > > > > > > The IPA subdomain users have lowercase the
whole alias (so typically
> > > > > > > > > user(a)windows.domain) while the LDAP users
have only the name component
> > > > > > > > > lowercased (user(a)WINDOWS.DOMAIN). Currently
sss_cache only works with he
> > > > > > > > > latter.
> > > > > > > > >
> > > > > > > > > As discussed on IRC, we should pick on
scheme and use it, ideally with
> > > > > > > > > some helper function.
> > > > > > > >
> > > > > > > > I added two new patches to fix this. 0003 adds a
new call to add a lower
> > > > > > > > case alias name to a sysdb_attrs struct and 0004
replace current code
> > > > > > > > with the new call.
> > > > > > > >
> > > > > > > > bye,
> > > > > > > > Sumit
> > > > > > >
> > > > > > > After testing the patches I think the issue is a bit
more complex. I
> > > > > > > hope I can explain the problem clearly. We can only
consider subdomain
> > > > > > > users and hence FQDN lookups for the problem.
> > > > > > >
> > > > > > > In the responder code, the lookup will be performed
for user@DOMAIN_NAME,
> > > > > > > where DOMAIN_NAME is exactly the same case as domain
name in the confdb.
> > > > > > > So unfortunately lowercasing the whole alias won't
work
> > > > > > > unless the responder FQDN lookups are lowercased as
well.
> > > > > > >
> > > > > > > I was wondering a bit why did the lookups for users on
IPA clients
> > > > > > > (fetched with extop) work and it turns out we matched
their name
> > > > > > > attribute, not alias. This is how the user entry looks
now with git
> > > > > > > HEAD:
> > > > > > >
> > > > > > > dn:
name=administrator(a)WIN.EXAMPLE.COM,cn=users,cn=WIN.EXAMPLE.COM,cn=sysdb
> > > > > > > name: administrator(a)WIN.EXAMPLE.COM
> > > > > > > nameAlias: administrator(a)win.example.com
> > > > > > >
> > > > > > > so the nameAlias can only be matched with lowercased
sssd domain, in my
> > > > > > > case, the name attribute is matched. IIRC the reason
even the name is
> > > > > > > lowercased and not original is a bug in winbind we
tried to work
> > > > > > > around..
> > > > > > >
> > > > > > > In IPA server mode the same user entry looks like this
with git HEAD:
> > > > > > >
> > > > > > > dn:
name=Administrator(a)WIN.EXAMPLE.COM,cn=users,cn=WIN.EXAMPLE.COM,cn=sysdb
> > > > > > > name: Administrator(a)WIN.EXAMPLE.COM
> > > > > > > nameAlias: administrator(a)WIN.EXAMPLE.COM
> > > > > > >
> > > > > > > So here the nameAlias is matched by the responder.
> > > > > > >
> > > > > > > The patches changed that to:
> > > > > > > dn:
name=Administrator(a)WIN.EXAMPLE.COM,cn=users,cn=WIN.EXAMPLE.COM,cn=sysdb
> > > > > > > name: Administrator(a)WIN.EXAMPLE.COM
> > > > > > > nameAlias: administrator(a)win.example.com
> > > > > > >
> > > > > > > So neither name nor alias matched.
> > > > > > >
> > > > > > > I'm not sure what the best way to fix the
inconsistency would be. I
> > > > > > > think the way subdomain users are stored with AD
backend makes more
> > > > > > > sense to me because the original name as stored on the
server is kept in
> > > > > > > the name attribute and the alias is matched on
lookups. But the way
> > > > > > > extop users are stored might be fine as well, we
don't seem to be using
> > > > > > > the original version of name at the moment.
> > > > > >
> > > > > > The users coming from extdom are always lower-cased because
winbind will
> > > > > > return them in lower-case most of the time and winbind was
feeding the
> > > > > > extdom plugin before we had ipa-server-mode. I say
'most of the time'
> > > > > > because there was a bug in some versions of winbind where
the original
> > > > > > name was returned. Since the information from the extdom
plugin have to
> > > > > > be extended with the group information from the PAC I
thought the
> > > > > > easiest way to find the right user is to always use
lower-case names
> > > > > > here which will always work because AD is case-insensitve.
But if we can
> > > > > > make sure that nameAlias is handled consistently I do not
have any
> > > > > > objections to use the name which is returned from the
server without
> > > > > > making it lower-case explicitly.
> > > > >
> > > > > OK, I'm fine with this, as I said above, the name is not
really
> > > > > important but the way we treated the nameAlias with extdom users
(where
> > > > > it never matched) was strange to me.
> > > > >
> > > > > >
> > > > > > About the case of the domain in nameAlias. As long as
nameAlias is used
> > > > > > only inside the sssd process the case does not matter much
because I
> > > > > > think the domain name is always taken from the name member
of the
> > > > > > sss_domain_info struct (and if it is not the case it can
easily
> > > > > > be converted). Nevertheless I find it a bit counter
intuitive to have a
> > > > > > mixed cased name in nameAlias to search for a
case-insensitive name so
> > > > > > I would prefer to change the responder. Since
> > > > > > sss_parse_name_for_domains() make case-insensitive
comparison of the
> > > > > > domain name as well we do not have a chance to support
case-sensitive
> > > > > > domain names.
> > > > >
> > > > > Thanks for the domain name investigation.
> > > > >
> > > > > So the proposal is to change the responder searches to look for
> > > > > case-insensitive nameAlias? If so, don't we need some sysdb
upgrade to
> > > > > lowercase the existing mixed case aliases?
> > > >
> > > > good point, I think we should keep the old filter as a fallback to
avoid
> > > > a sysdb upgrade for the time being. Maybe it can be folded into an
other
> > > > major sysdb upgrade later and then the fallback can be removed.
> > >
> > > Yes, Michal is working on sysdb upgrade anyway, that might be a good
> > > time to do two changes.
> >
> > please find attached the patch set with an additional fifth patch which
> > adds an all-lower-cased string to the search filter where needed.
> >
> > Please note that the original issue was that sss_cache was not able to
> > find some entries from sub-domains. If you think the current patch set
> > is too much for a minor release and the original issue should be fixed
> > differently, let me know. Nevertheless I think not having a
> > all-lower-cased version of the name in nameAlias for case-insensitive
> > searches is a bug which has to be fixed.
>
> I think this is the right approach and I agree with these patches in
> sssd-1-11.
>
> Regular lookups for both users and groups from domains and subdomains
> work fine, I haven't found any issues there. I only found one issue in
> sss_cache where the filter for a subdomain user would contain the domain
> name in original case, but the alias can already be lowercased.
The attached patch set should handle this as well. I modified
update_filter() for this and tried to remove some redundancy there. I
also added sss_filter_sanitize_for_dom() to clean the input.
bye,
Sumit
Thanks for the patience.
I tested the usual NSS and PAM operations as well as retrieving aliases
stored with the old format using the patched code and everythign went
well.
ACK to all patches.