Unable to lookup AD user if the AD group contains '@' symbol #6055
Labels
Comments
|
Bugzilla Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2061795 |
|
We can assume that domain part (DNS name or kerberos realm) can't contain @ and the default can be improved. |
thalman
added a commit
to thalman/sssd
that referenced
this issue
Mar 11, 2022
Some Active Directory groups, typically those used for MS Exchange contain an “@” sign in the name. New IPA and AD re_expression default handles it correctly, considering that the domain is everything that follows the last '@'. Resolves: SSSD#6055
thalman
added a commit
to thalman/sssd
that referenced
this issue
Mar 18, 2022
Some Active Directory groups, typically those used for MS Exchange contain an “@” sign in the name. New IPA and AD re_expression default handles it correctly, considering that the domain is everything that follows the last '@'. :relnote: Better default for IPA/AD re_expression. Tunning for group names containing '@' is no longer needed. Resolves: SSSD#6055
sumit-bose
added a commit
to sumit-bose/sssd
that referenced
this issue
Jun 8, 2022
It is allowed to have different regular-expression to split the input name for different domains. After the regex is evaluated and a domain name was found in the input it has to be check if the domain name corresponds to the domain the regex is coming from. E.g. with the implicit files provider enabled the file provider might use a simple default regex while and additional IPA or AD provider will have a more complex one which e.g. properly handles @-characters in names. When evaluation in input the simple regex will come first and will split the name but will miss part of the user name part if the name contains an @-character. Currently SSSD check if the found domain name matches any of the know domains or sub-domains which is wrong because the regex was coming from the files provider and hence it should only handle its own objects. With this patch not all domains are checked but only the current one and its sub-domains, if any. This behavior is also mentioned in a comment already in the code. As a result in the above example the check with the results form the simple regex with fail and then the more complex regex of the other domain will be used which can split the name properly. Resolves: SSSD#6055
alexey-tikhonov
pushed a commit
that referenced
this issue
Jun 13, 2022
It is allowed to have different regular-expression to split the input name for different domains. After the regex is evaluated and a domain name was found in the input it has to be check if the domain name corresponds to the domain the regex is coming from. E.g. with the implicit files provider enabled the file provider might use a simple default regex while and additional IPA or AD provider will have a more complex one which e.g. properly handles @-characters in names. When evaluation in input the simple regex will come first and will split the name but will miss part of the user name part if the name contains an @-character. Currently SSSD check if the found domain name matches any of the know domains or sub-domains which is wrong because the regex was coming from the files provider and hence it should only handle its own objects. With this patch not all domains are checked but only the current one and its sub-domains, if any. This behavior is also mentioned in a comment already in the code. As a result in the above example the check with the results form the simple regex with fail and then the more complex regex of the other domain will be used which can split the name properly. Resolves: #6055 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com>
alexey-tikhonov
pushed a commit
that referenced
this issue
Jun 13, 2022
It is allowed to have different regular-expression to split the input name for different domains. After the regex is evaluated and a domain name was found in the input it has to be check if the domain name corresponds to the domain the regex is coming from. E.g. with the implicit files provider enabled the file provider might use a simple default regex while and additional IPA or AD provider will have a more complex one which e.g. properly handles @-characters in names. When evaluation in input the simple regex will come first and will split the name but will miss part of the user name part if the name contains an @-character. Currently SSSD check if the found domain name matches any of the know domains or sub-domains which is wrong because the regex was coming from the files provider and hence it should only handle its own objects. With this patch not all domains are checked but only the current one and its sub-domains, if any. This behavior is also mentioned in a comment already in the code. As a result in the above example the check with the results form the simple regex with fail and then the more complex regex of the other domain will be used which can split the name properly. Resolves: #6055 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Tomáš Halman <thalman@redhat.com> (cherry picked from commit 9656516)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description of problem:
Unable to lookup AD user if the AD group contains '@' symbol
Workaround: Adding re_expression = (((?P.+)@(?P[^@]+$))|(^(?P[^@\\]+)$)) on the IPA server and client's /etc/sssd/sssd.conf
Version-Release number of selected component (if applicable):
sssd version: sssd-2.4.0-9.el8_4.2.x86_64
The text was updated successfully, but these errors were encountered: