Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1509691 - Document how to change the regular expression for SSSD so that group names with an @-sign can be parsed
Summary: Document how to change the regular expression for SSSD so that group names wi...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-05 18:04 UTC by Jakub Hrozek
Modified: 2018-10-30 10:41 UTC (History)
9 users (show)

Fixed In Version: sssd-1.16.2-3.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:40:47 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3158 None None None 2018-10-30 10:41:50 UTC

Description Jakub Hrozek 2017-11-05 18:04:48 UTC
Description of problem:
This is a spin-off of https://bugzilla.redhat.com/show_bug.cgi?id=1383520 which, instead changing the default re_expression (which might be too risky in a stable RHEL version) would document how to change the expression for environments that use groupnames with an @-sign.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Jakub Hrozek 2017-11-05 18:08:45 UTC
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3219

Comment 3 Fabiano Fidêncio 2018-06-22 11:42:34 UTC
master:
 4c79db6

Comment 9 Mohammad Rizwan 2018-09-06 07:47:22 UTC
version:
ipa-server-4.6.4-7.el7.x86_64
ipa-server-trust-ad-4.6.4-7.el7.x86_64
sssd-1.16.2-12.el7.x86_64
sssd-ad-1.16.2-12.el7.x86_64

Steps:
1. Install IPA master and setup AD trust

2. Add a user on AD side having @ i.e test@riz

3. Add a group on AD having @ i.e test@test

4. Add user to the the added group in step 3

5. clear cache and restart sssd on ipa server

6. Run id and getent for user and group on ipa server
   $ id test@riz@ad-domain

   $  getent group test@test@ad-domain

7. Install Ipa client

8. set regex on sssd.conf on ipa client in section [domain] and [sssd] and restart the sssd:

[..]
re_expression = ((?P<name>.+)@(?P<domain>[^@]+$))
use_fully_qualified_names = True
debug_level = 9

[sssd]
services = nss, sudo, pam, ssh
re_expression = ((?P<name>.+)@(?P<domain>[^@]+$))
debug_level = 9
[..]

9. 6. Run id and getent for user and group on ipa client
   $ id test@riz@ad-domain

   $  getent group test@test@ad-domain


Actual result:

Master:
~~~~~~~~~~~
[root@mater ~]# id test@riz@ipaad2016.test
uid=1577608962(test_riz@ipaad2016.test) gid=1577608962(test_riz@ipaad2016.test) groups=1577608962(test_riz@ipaad2016.test),1577608961(test@test@ipaad2016.test),1577605681(group1@ipaad2016.test),1577600513(domain users@ipaad2016.test)
[root@mater ~]# 
[root@mater ~]# 
[root@mater ~]# getent group test@test@ipaad2016.test
test@test@ipaad2016.test:*:1577608961:test_riz@ipaad2016.test



client:
~~~~~~~~~~~
[root@client ~]# id test@riz@ipaad2016.test
uid=1577608962(test_riz@ipaad2016.test) gid=1577608962(test_riz@ipaad2016.test) groups=1577608962(test_riz@ipaad2016.test)
[root@client ~]# 
[root@client ~]# getent group test@test@ipaad2016.test
[root@client ~]# 


Currently '@' sign works for user name only and not for group names. Hence marking the bug as verified.

Comment 13 errata-xmlrpc 2018-10-30 10:40:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3158


Note You need to log in before you can comment on or make changes to this bug.