Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nss: fix getsidbyname for IPA user-private-groups #5608

Closed
wants to merge 1 commit into from
Closed

nss: fix getsidbyname for IPA user-private-groups #5608

wants to merge 1 commit into from

Conversation

sumit-bose
Copy link
Contributor

Currently the getsidbyname request does not work properly for IPA users
due to the way IPA user-private-groups are handled by SSSD. With this
patch two different cases, the default automatic user-private-groups
where the group is a managed object and manual creation of a user and a
groups with UID and GIDs so that the group is a user-private group, are
covered.

Resolves: #5607

:fixes: Fix getsidbyname issues with IPA users with a user-private-group

@elkoniu elkoniu self-assigned this May 5, 2021
elkoniu
elkoniu reviewed May 17, 2021
View reviewed changes
Copy link
Contributor

@elkoniu elkoniu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally LGTM, just few minor questions. Also I think a commit message needs to be simplified to better reflect what is this about. I have to go via full BZ description to get it.
I think use-case description together with this if - else if - else possible variants and when they may happen could be useful (user_sid == NULL + group_sid == NULL etc.).

src/responder/nss/nss_protocol_sid.c Show resolved Hide resolved
src/responder/nss/nss_protocol_sid.c Show resolved Hide resolved
@elkoniu
Copy link
Contributor

elkoniu commented May 17, 2021
edited
Loading

Use case from source bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1837090):

[root@master ~]# ipa user-add some-user
First name: Some
Last name: User
----------------------
Added user "some-user"
----------------------
  User login: some-user
  First name: Some
  Last name: User
  Full name: Some User
  Display name: Some User
  Initials: SU
  Home directory: /home/some-user
  GECOS: Some User
  Login shell: /bin/sh
  Principal name: some-user@IPA.TEST
  Principal alias: some-user@IPA.TEST
  Email address: some-user@ipa.test
  UID: 1908200011
  GID: 1908200011
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# id IPA\\some-user
uid=1908200011(some-user) gid=1908200011(some-user) groups=1908200011(some-user)

[root@master ~]# python
Python 3.8.2 (default, Feb 28 2020, 00:00:00) 
[GCC 10.0.1 20200216 (Red Hat 10.0.1-0.8)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pysss_nss_idmap
>>> pysss_nss_idmap.getsidbyname('IPA\\admin')
{'IPA\\admin': {'sid': 'S-1-5-21-3787809381-104084847-3373960542-500', 'type': 1}}
>>> pysss_nss_idmap.getsidbyname('IPA\\some-user')
{}

Result of this PR build deployed:

[vagrant@master.ipa.vm /build/sssd/x86_64 (PR-5608 *%)]$ ipa user-add elmer2
First name: Elmer
Last name: Second
-------------------
Added user "elmer2"
-------------------
  User login: elmer2
  First name: Elmer
  Last name: Second
  Full name: Elmer Second
  Display name: Elmer Second
  Initials: ES
  Home directory: /home/elmer2
  GECOS: Elmer Second
  Login shell: /bin/sh
  Principal name: elmer2@IPA.VM
  Principal alias: elmer2@IPA.VM
  Email address: elmer2@ipa.vm
  UID: 356000006
  GID: 356000006
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[vagrant@master.ipa.vm /build/sssd/x86_64 (PR-5608 *%)]$ id IPA\\elmer2
uid=356000006(elmer2) gid=356000006(elmer2) groups=356000006(elmer2)

[vagrant@master.ipa.vm /build/sssd/x86_64 (PR-5608 *%)]$ python
Python 3.7.9 (default, Aug 19 2020, 17:05:11) 
[GCC 9.3.1 20200408 (Red Hat 9.3.1-2)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pysss_nss_idmap
>>> pysss_nss_idmap.getsidbyname('IPA\\admin')
{'IPA\\admin': {'sid': 'S-1-5-21-1923584740-778949710-2051978183-500', 'type': 1}}
>>> pysss_nss_idmap.getsidbyname('IPA\\elmer2')
{'IPA\\elmer2': {'sid': 'S-1-5-21-1923584740-778949710-2051978183-1006', 'type': 1}}

@sumit-bose
nss: fix getsidbyname for IPA user-private-groups
f968767 
Currently the getsidbyname request does not work properly for IPA users
due to the way IPA user-private-groups are handled by SSSD. With this
patch two different cases are handled.

The first is about the default automatic user-private-groups
where the group is a managed object. In this case there will be a user
and a group object with the same name in the cache which will both be
found by the lookup by name. Since only the user object will have a SID
we can return this SID for the request.

The second case is the manual creation of a user and a groups with UID
and GIDs so that the group is a user-private group. Here the user and
the group object will both get a different SID assigned since they are
independent objects. In this case, both objects have a SID and the UID
and GID of the user and the GID of the group all have the same numerical
value, the SID of the user is returned.

Resolves: SSSD#5607

:fixes: Fix getsidbyname issues with IPA users with a user-private-group
@sumit-bose sumit-bose force-pushed the getsidbyname_multiple_results branch from 0adfd78 to f968767 Compare May 19, 2021 10:56
@sumit-bose
Copy link
Contributor Author

Hi,

thank you for your comments, I update the commit message to make it (hopefully) more clear.

bye,
Sumit

elkoniu
elkoniu reviewed May 20, 2021
View reviewed changes
Copy link
Contributor

@elkoniu elkoniu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the commit message update and answers for my questions, LGTM.

@pbrezina pbrezina added the Ready to push Ready to push label May 24, 2021
@pbrezina
Copy link
Member

Pushed PR: #5608

  • master
    • 9cb8966 - nss: fix getsidbyname for IPA user-private-groups

@pbrezina pbrezina added Pushed and removed Accepted Ready to push Ready to push labels May 25, 2021
@pbrezina pbrezina closed this May 25, 2021
@pbrezina pbrezina mentioned this pull request May 25, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@elkoniu elkoniu elkoniu left review comments

Assignees

@elkoniu elkoniu

Labels
Bugzilla Pushed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SSSD fails nss_getby_name for IPA user with SID if the user has user private group
4 participants
@sumit-bose @elkoniu @pbrezina @alexey-tikhonov