Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1509691

Summary: Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: grajaiya, jhrozek, lslebodn, mkosek, myusuf, mzidek, pbrezina, sgoveas, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.16.2-3.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:40:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jakub Hrozek 2017-11-05 18:04:48 UTC
Description of problem:
This is a spin-off of https://bugzilla.redhat.com/show_bug.cgi?id=1383520 which, instead changing the default re_expression (which might be too risky in a stable RHEL version) would document how to change the expression for environments that use groupnames with an @-sign.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Jakub Hrozek 2017-11-05 18:08:45 UTC
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3219

Comment 3 Fabiano FidĂȘncio 2018-06-22 11:42:34 UTC
master:
 4c79db6

Comment 9 Mohammad Rizwan 2018-09-06 07:47:22 UTC
version:
ipa-server-4.6.4-7.el7.x86_64
ipa-server-trust-ad-4.6.4-7.el7.x86_64
sssd-1.16.2-12.el7.x86_64
sssd-ad-1.16.2-12.el7.x86_64

Steps:
1. Install IPA master and setup AD trust

2. Add a user on AD side having @ i.e test@riz

3. Add a group on AD having @ i.e test@test

4. Add user to the the added group in step 3

5. clear cache and restart sssd on ipa server

6. Run id and getent for user and group on ipa server
   $ id test@riz@ad-domain

   $  getent group test@test@ad-domain

7. Install Ipa client

8. set regex on sssd.conf on ipa client in section [domain] and [sssd] and restart the sssd:

[..]
re_expression = ((?P<name>.+)@(?P<domain>[^@]+$))
use_fully_qualified_names = True
debug_level = 9

[sssd]
services = nss, sudo, pam, ssh
re_expression = ((?P<name>.+)@(?P<domain>[^@]+$))
debug_level = 9
[..]

9. 6. Run id and getent for user and group on ipa client
   $ id test@riz@ad-domain

   $  getent group test@test@ad-domain


Actual result:

Master:
~~~~~~~~~~~
[root@mater ~]# id test@riz@ipaad2016.test
uid=1577608962(test_riz@ipaad2016.test) gid=1577608962(test_riz@ipaad2016.test) groups=1577608962(test_riz@ipaad2016.test),1577608961(test@test@ipaad2016.test),1577605681(group1@ipaad2016.test),1577600513(domain users@ipaad2016.test)
[root@mater ~]# 
[root@mater ~]# 
[root@mater ~]# getent group test@test@ipaad2016.test
test@test@ipaad2016.test:*:1577608961:test_riz@ipaad2016.test



client:
~~~~~~~~~~~
[root@client ~]# id test@riz@ipaad2016.test
uid=1577608962(test_riz@ipaad2016.test) gid=1577608962(test_riz@ipaad2016.test) groups=1577608962(test_riz@ipaad2016.test)
[root@client ~]# 
[root@client ~]# getent group test@test@ipaad2016.test
[root@client ~]# 


Currently '@' sign works for user name only and not for group names. Hence marking the bug as verified.

Comment 13 errata-xmlrpc 2018-10-30 10:40:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3158