Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[sssd] User lookup on IPA client fails with 's2n get_fqlist request failed' #6720

Closed
sumit-bose opened this issue May 10, 2023 · 3 comments
Closed

[sssd] User lookup on IPA client fails with 's2n get_fqlist request failed' #6720

sumit-bose opened this issue May 10, 2023 · 3 comments
Assignees
@sumit-bose
Labels
Bugzilla Closed: Fixed Issue was closed as fixed.

Comments

@sumit-bose
Copy link
Contributor

Description of problem

Trusted AD user information cannot be retrieved from IPA clients if trusted user name contains upper/mixed case characters and is configured with overrides.
IDM server is able to see the user running the same pkg release.

Operation returns:

(2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_get_list_next] (0x0040): [RID#2] s2n exop request failed.
(2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_get_list_done] (0x0040): [RID#2] s2n get_fqlist request failed.

Version-Release number of selected component (if applicable)

sssd-2.7.3-4.el8_7.3.x86_64

How reproducible

Always

Steps to Reproduce

  1. Deploy a user in AD with uppercase/mixed chars name (e.g., Con81001)
  2. Configure a override for this user in IPA (sshPublicKey)
  3. Perform user lookup or authentication attempt

Actual results

id: ‘con81001@ad.example.com’: no such user

Expected results

uid=645601103(con81001@ad.example.com) gid=645601103(con81001@ad.example.com) groups=645601103(con81001@ad.example.com)

Additional info

Request from client fails with:

(2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_get_list_step] (0x0400): [RID#2] Sending request_type: [REQ_FULL_WITH_MEMBERS] for object [con81001@ad.example.com].
(2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_exop_send] (0x0400): [RID#2] Executing extended operation
(2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_exop_send] (0x2000): [RID#2] ldap_extended_operation sent, msgid = 17
-- snip --
(2023-04-20 16:16:27): [be[ipa.example.com]] [sdap_call_op_callback] (0x20000): [RID#2] Handling LDAP operation [17][server: [172.20.90.211:389] IPA EXOP] took [207.742] milliseconds.
(2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_exop_done] (0x0040): [RID#2] ldap_extended_operation result: No such object(32), (null).
(2023-04-20 16:16:27): [be[ipa.example.com]] [sdap_op_destructor] (0x2000): [RID#2] Operation 17 finished
(2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_get_list_next] (0x0040): [RID#2] s2n exop request failed.
(2023-04-20 16:16:27): [be[ipa.example.com]] [ipa_s2n_get_list_done] (0x0040): [RID#2] s2n get_fqlist request failed.
(2023-04-20 16:16:27): [be[ipa.example.com]] [sdap_id_op_done] (0x4000): [RID#2] releasing operation connection
@sumit-bose
Copy link
Contributor Author

Bugzilla Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2192708

@sumit-bose sumit-bose self-assigned this May 10, 2023
sumit-bose added a commit to sumit-bose/sssd that referenced this issue May 10, 2023
@sumit-bose
sysdb: fix string comparison when checking for overrides
c42cc59 
When checking if the input group-name is the original name from AD or an
overwritten one the comparison is currently done case sensitive. Since
AD handles names case-insensitive and hence SSSD should do this as well
this comparison might cause issues.

The patch replace the case sensitive comparison with a comparison with
respects the case_sensitive of the domain the object is coming from.

Resolves: SSSD#6720
@sumit-bose sumit-bose mentioned this issue May 10, 2023
Closed
pbrezina pushed a commit that referenced this issue May 15, 2023
@sumit-bose @pbrezina
sysdb: fix string comparison when checking for overrides
d104c01 
When checking if the input group-name is the original name from AD or an
overwritten one the comparison is currently done case sensitive. Since
AD handles names case-insensitive and hence SSSD should do this as well
this comparison might cause issues.

The patch replace the case sensitive comparison with a comparison with
respects the case_sensitive of the domain the object is coming from.

Resolves: #6720

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
(cherry picked from commit 01d0279)
@pbrezina
Copy link
Member

Pushed PR: #6721

  • master
    • 01d0279 - sysdb: fix string comparison when checking for overrides
  • sssd-2-9
    • d104c01 - sysdb: fix string comparison when checking for overrides

@pbrezina pbrezina added the Closed: Fixed Issue was closed as fixed. label May 15, 2023
alexey-tikhonov pushed a commit to alexey-tikhonov/sssd that referenced this issue May 15, 2023
@sumit-bose @alexey-tikhonov
sysdb: fix string comparison when checking for overrides
148b632 
When checking if the input group-name is the original name from AD or an
overwritten one the comparison is currently done case sensitive. Since
AD handles names case-insensitive and hence SSSD should do this as well
this comparison might cause issues.

The patch replace the case sensitive comparison with a comparison with
respects the case_sensitive of the domain the object is coming from.

Resolves: SSSD#6720

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
(cherry picked from commit 01d0279)
@alexey-tikhonov alexey-tikhonov mentioned this issue May 15, 2023
Closed
alexey-tikhonov pushed a commit that referenced this issue May 16, 2023
@sumit-bose @alexey-tikhonov
sysdb: fix string comparison when checking for overrides
41f1901 
When checking if the input group-name is the original name from AD or an
overwritten one the comparison is currently done case sensitive. Since
AD handles names case-insensitive and hence SSSD should do this as well
this comparison might cause issues.

The patch replace the case sensitive comparison with a comparison with
respects the case_sensitive of the domain the object is coming from.

Resolves: #6720

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
(cherry picked from commit 01d0279)

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
@alexey-tikhonov
Copy link
Member

Pushed PR: #6732

  • sssd-2-8
    • 41f1901 - sysdb: fix string comparison when checking for overrides

etrunko pushed a commit to etrunko/sssd that referenced this issue Oct 11, 2023
@sumit-bose @etrunko
sysdb: fix string comparison when checking for overrides
10d338f 
When checking if the input group-name is the original name from AD or an
overwritten one the comparison is currently done case sensitive. Since
AD handles names case-insensitive and hence SSSD should do this as well
this comparison might cause issues.

The patch replace the case sensitive comparison with a comparison with
respects the case_sensitive of the domain the object is coming from.

Resolves: SSSD#6720

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
(cherry picked from commit 01d0279)
etrunko pushed a commit to etrunko/sssd that referenced this issue Oct 11, 2023
@sumit-bose @etrunko
sysdb: fix string comparison when checking for overrides
3bb868c 
When checking if the input group-name is the original name from AD or an
overwritten one the comparison is currently done case sensitive. Since
AD handles names case-insensitive and hence SSSD should do this as well
this comparison might cause issues.

The patch replace the case sensitive comparison with a comparison with
respects the case_sensitive of the domain the object is coming from.

Resolves: SSSD#6720

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
(cherry picked from commit 01d0279)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sumit-bose sumit-bose

Labels
Bugzilla Closed: Fixed Issue was closed as fixed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

sysdb: fix string comparison when checking for overrides sumit-bose/sssd
3 participants
@sumit-bose @pbrezina @alexey-tikhonov