Discussion:
[SSSD] [sssd PR#5608][opened] nss: fix getsidbyname for IPA user-private-groups
sumit-bose
2021-04-27 09:00:39 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5608
Author: sumit-bose
Title: #5608: nss: fix getsidbyname for IPA user-private-groups
Action: opened

PR body:
"""
Currently the getsidbyname request does not work properly for IPA users
due to the way IPA user-private-groups are handled by SSSD. With this
patch two different cases, the default automatic user-private-groups
where the group is a managed object and manual creation of a user and a
groups with UID and GIDs so that the group is a user-private group, are
covered.

Resolves: https://github.com/SSSD/sssd/issues/5607

:fixes: Fix getsidbyname issues with IPA users with a user-private-group
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5608/head:pr5608
git checkout pr5608
alexey-tikhonov
2021-04-29 19:53:22 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5608
Title: #5608: nss: fix getsidbyname for IPA user-private-groups

Label: +Bugzilla
alexey-tikhonov
2021-04-29 19:53:32 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5608
Title: #5608: nss: fix getsidbyname for IPA user-private-groups

Label: +Waiting for review
elkoniu
2021-05-17 22:14:57 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5608
Title: #5608: nss: fix getsidbyname for IPA user-private-groups

Label: +Changes requested
elkoniu
2021-05-17 22:15:04 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5608
Title: #5608: nss: fix getsidbyname for IPA user-private-groups

Label: -Waiting for review
elkoniu
2021-05-17 23:13:29 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5608
Title: #5608: nss: fix getsidbyname for IPA user-private-groups

elkoniu commented:
"""
Use case from source bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1837090):
```
[***@master ~]# ipa user-add some-user
First name: Some
Last name: User
----------------------
Added user "some-user"
----------------------
User login: some-user
First name: Some
Last name: User
Full name: Some User
Display name: Some User
Initials: SU
Home directory: /home/some-user
GECOS: Some User
Login shell: /bin/sh
Principal name: some-***@IPA.TEST
Principal alias: some-***@IPA.TEST
Email address: some-***@ipa.test
UID: 1908200011
GID: 1908200011
Password: False
Member of groups: ipausers
Kerberos keys available: False

[***@master ~]# id IPA\\some-user
uid=1908200011(some-user) gid=1908200011(some-user) groups=1908200011(some-user)

[***@master ~]# python
Python 3.8.2 (default, Feb 28 2020, 00:00:00)
[GCC 10.0.1 20200216 (Red Hat 10.0.1-0.8)] on linux
Type "help", "copyright", "credits" or "license" for more information.
import pysss_nss_idmap
pysss_nss_idmap.getsidbyname('IPA\\admin')
{'IPA\\admin': {'sid': 'S-1-5-21-3787809381-104084847-3373960542-500', 'type': 1}}
pysss_nss_idmap.getsidbyname('IPA\\some-user')
{}
pysss_nss_idmap.getsidbyname('IPA\\some-user')
{}
```

Result of this PR build deployed (`elmer2` - existing user, `elmer3` - non existing user):
```
[***@master.ipa.vm /build/sssd/x86_64 (PR-5608 *%)]$ ipa user-add elmer2
First name: Elmer
Last name: Second
-------------------
Added user "elmer2"
-------------------
User login: elmer2
First name: Elmer
Last name: Second
Full name: Elmer Second
Display name: Elmer Second
Initials: ES
Home directory: /home/elmer2
GECOS: Elmer Second
Login shell: /bin/sh
Principal name: ***@IPA.VM
Principal alias: ***@IPA.VM
Email address: ***@ipa.vm
UID: 356000006
GID: 356000006
Password: False
Member of groups: ipausers
Kerberos keys available: False

[***@master.ipa.vm /build/sssd/x86_64 (PR-5608 *%)]$ id IPA\\elmer3
id: ‘IPA\\elmer3’: no such user

[***@master.ipa.vm /build/sssd/x86_64 (PR-5608 *%)]$ id IPA\\elmer2
uid=356000006(elmer2) gid=356000006(elmer2) groups=356000006(elmer2)

[***@master.ipa.vm /build/sssd/x86_64 (PR-5608 *%)]$ python
Python 3.7.9 (default, Aug 19 2020, 17:05:11)
[GCC 9.3.1 20200408 (Red Hat 9.3.1-2)] on linux
Type "help", "copyright", "credits" or "license" for more information.
import pysss_nss_idmap
pysss_nss_idmap.getsidbyname('IPA\\admin')
{'IPA\\admin': {'sid': 'S-1-5-21-1923584740-778949710-2051978183-500', 'type': 1}}
pysss_nss_idmap.getsidbyname('IPA\\elmer2')
{'IPA\\elmer2': {'sid': 'S-1-5-21-1923584740-778949710-2051978183-1006', 'type': 1}}
pysss_nss_idmap.getsidbyname('IPA\\elmer3')
{}
```
"""

See the full comment at https://github.com/SSSD/sssd/pull/5608#issuecomment-842701820
elkoniu
2021-05-17 23:14:23 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5608
Title: #5608: nss: fix getsidbyname for IPA user-private-groups

elkoniu commented:
"""
Use case from source bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1837090):
```
[***@master ~]# ipa user-add some-user
First name: Some
Last name: User
----------------------
Added user "some-user"
----------------------
User login: some-user
First name: Some
Last name: User
Full name: Some User
Display name: Some User
Initials: SU
Home directory: /home/some-user
GECOS: Some User
Login shell: /bin/sh
Principal name: some-***@IPA.TEST
Principal alias: some-***@IPA.TEST
Email address: some-***@ipa.test
UID: 1908200011
GID: 1908200011
Password: False
Member of groups: ipausers
Kerberos keys available: False

[***@master ~]# id IPA\\some-user
uid=1908200011(some-user) gid=1908200011(some-user) groups=1908200011(some-user)

[***@master ~]# python
Python 3.8.2 (default, Feb 28 2020, 00:00:00)
[GCC 10.0.1 20200216 (Red Hat 10.0.1-0.8)] on linux
Type "help", "copyright", "credits" or "license" for more information.
import pysss_nss_idmap
pysss_nss_idmap.getsidbyname('IPA\\admin')
{'IPA\\admin': {'sid': 'S-1-5-21-3787809381-104084847-3373960542-500', 'type': 1}}
pysss_nss_idmap.getsidbyname('IPA\\some-user')
{}
pysss_nss_idmap.getsidbyname('IPA\\some-user')
{}
```

Result of this PR build deployed:
```
[***@master.ipa.vm /build/sssd/x86_64 (PR-5608 *%)]$ ipa user-add elmer2
First name: Elmer
Last name: Second
-------------------
Added user "elmer2"
-------------------
User login: elmer2
First name: Elmer
Last name: Second
Full name: Elmer Second
Display name: Elmer Second
Initials: ES
Home directory: /home/elmer2
GECOS: Elmer Second
Login shell: /bin/sh
Principal name: ***@IPA.VM
Principal alias: ***@IPA.VM
Email address: ***@ipa.vm
UID: 356000006
GID: 356000006
Password: False
Member of groups: ipausers
Kerberos keys available: False

[***@master.ipa.vm /build/sssd/x86_64 (PR-5608 *%)]$ id IPA\\elmer2
uid=356000006(elmer2) gid=356000006(elmer2) groups=356000006(elmer2)

[***@master.ipa.vm /build/sssd/x86_64 (PR-5608 *%)]$ python
Python 3.7.9 (default, Aug 19 2020, 17:05:11)
[GCC 9.3.1 20200408 (Red Hat 9.3.1-2)] on linux
Type "help", "copyright", "credits" or "license" for more information.
import pysss_nss_idmap
pysss_nss_idmap.getsidbyname('IPA\\admin')
{'IPA\\admin': {'sid': 'S-1-5-21-1923584740-778949710-2051978183-500', 'type': 1}}
pysss_nss_idmap.getsidbyname('IPA\\elmer2')
{'IPA\\elmer2': {'sid': 'S-1-5-21-1923584740-778949710-2051978183-1006', 'type': 1}}
```
"""

See the full comment at https://github.com/SSSD/sssd/pull/5608#issuecomment-842701820
elkoniu
2021-05-17 23:14:40 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5608
Title: #5608: nss: fix getsidbyname for IPA user-private-groups

elkoniu commented:
"""
Use case from source bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1837090):
```
[***@master ~]# ipa user-add some-user
First name: Some
Last name: User
----------------------
Added user "some-user"
----------------------
User login: some-user
First name: Some
Last name: User
Full name: Some User
Display name: Some User
Initials: SU
Home directory: /home/some-user
GECOS: Some User
Login shell: /bin/sh
Principal name: some-***@IPA.TEST
Principal alias: some-***@IPA.TEST
Email address: some-***@ipa.test
UID: 1908200011
GID: 1908200011
Password: False
Member of groups: ipausers
Kerberos keys available: False

[***@master ~]# id IPA\\some-user
uid=1908200011(some-user) gid=1908200011(some-user) groups=1908200011(some-user)

[***@master ~]# python
Python 3.8.2 (default, Feb 28 2020, 00:00:00)
[GCC 10.0.1 20200216 (Red Hat 10.0.1-0.8)] on linux
Type "help", "copyright", "credits" or "license" for more information.
import pysss_nss_idmap
pysss_nss_idmap.getsidbyname('IPA\\admin')
{'IPA\\admin': {'sid': 'S-1-5-21-3787809381-104084847-3373960542-500', 'type': 1}}
pysss_nss_idmap.getsidbyname('IPA\\some-user')
{}
```

Result of this PR build deployed:
```
[***@master.ipa.vm /build/sssd/x86_64 (PR-5608 *%)]$ ipa user-add elmer2
First name: Elmer
Last name: Second
-------------------
Added user "elmer2"
-------------------
User login: elmer2
First name: Elmer
Last name: Second
Full name: Elmer Second
Display name: Elmer Second
Initials: ES
Home directory: /home/elmer2
GECOS: Elmer Second
Login shell: /bin/sh
Principal name: ***@IPA.VM
Principal alias: ***@IPA.VM
Email address: ***@ipa.vm
UID: 356000006
GID: 356000006
Password: False
Member of groups: ipausers
Kerberos keys available: False

[***@master.ipa.vm /build/sssd/x86_64 (PR-5608 *%)]$ id IPA\\elmer2
uid=356000006(elmer2) gid=356000006(elmer2) groups=356000006(elmer2)

[***@master.ipa.vm /build/sssd/x86_64 (PR-5608 *%)]$ python
Python 3.7.9 (default, Aug 19 2020, 17:05:11)
[GCC 9.3.1 20200408 (Red Hat 9.3.1-2)] on linux
Type "help", "copyright", "credits" or "license" for more information.
import pysss_nss_idmap
pysss_nss_idmap.getsidbyname('IPA\\admin')
{'IPA\\admin': {'sid': 'S-1-5-21-1923584740-778949710-2051978183-500', 'type': 1}}
pysss_nss_idmap.getsidbyname('IPA\\elmer2')
{'IPA\\elmer2': {'sid': 'S-1-5-21-1923584740-778949710-2051978183-1006', 'type': 1}}
```
"""

See the full comment at https://github.com/SSSD/sssd/pull/5608#issuecomment-842701820
sumit-bose
2021-05-19 10:56:35 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5608
Author: sumit-bose
Title: #5608: nss: fix getsidbyname for IPA user-private-groups
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5608/head:pr5608
git checkout pr5608
sumit-bose
2021-05-19 10:57:24 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5608
Title: #5608: nss: fix getsidbyname for IPA user-private-groups

sumit-bose commented:
"""
Hi,

thank you for your comments, I update the commit message to make it (hopefully) more clear.

bye,
Sumit
"""

See the full comment at https://github.com/SSSD/sssd/pull/5608#issuecomment-843989660
elkoniu
2021-05-20 16:21:15 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5608
Title: #5608: nss: fix getsidbyname for IPA user-private-groups

Label: -Changes requested
elkoniu
2021-05-20 16:21:21 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5608
Title: #5608: nss: fix getsidbyname for IPA user-private-groups

Label: +Accepted
pbrezina
2021-05-24 16:02:45 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5608
Title: #5608: nss: fix getsidbyname for IPA user-private-groups

Label: +Ready to push
pbrezina
2021-05-25 10:24:46 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5608
Title: #5608: nss: fix getsidbyname for IPA user-private-groups

pbrezina commented:
"""
Pushed PR: https://github.com/SSSD/sssd/pull/5608

* `master`
* 9cb89666eae3ab2d4a93fb531fc29e433356391f - nss: fix getsidbyname for IPA user-private-groups

"""

See the full comment at https://github.com/SSSD/sssd/pull/5608#issuecomment-847749347
pbrezina
2021-05-25 10:24:50 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5608
Title: #5608: nss: fix getsidbyname for IPA user-private-groups

Label: +Pushed
pbrezina
2021-05-25 10:24:53 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5608
Title: #5608: nss: fix getsidbyname for IPA user-private-groups

Label: -Accepted
pbrezina
2021-05-25 10:24:55 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5608
Title: #5608: nss: fix getsidbyname for IPA user-private-groups

Label: -Ready to push
pbrezina
2021-05-25 10:24:58 UTC
Permalink
URL: https://github.com/SSSD/sssd/pull/5608
Author: sumit-bose
Title: #5608: nss: fix getsidbyname for IPA user-private-groups
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5608/head:pr5608
git checkout pr5608

Loading...