Learn more about these different git repos.
Other Git URLs
The function sss_nss_getnamebysid (and its python binding of course too) does not work for main domains (it works for subdomains, so FreeIPA is not affected). If SSSD is configured directly against AD, this function is not usable. Reverse function sss_nss_getsidbyname works fine.
The reason is that the main domain does not have domain_id member set and function responder_get_domain_by_id() can not compare the domain portion of the SID with the main domain (dom->domain_id is NULL).
Reproducer: 1. Configure SSSD against AD 2. Call function sss_nss_getnamebysid() or it's python binding with SID of existing user, for example using the script below
1 2 3 4 5 6 7 8 9 10 11 12 13
#!/bin/env python2 import pysss_nss_idmap as nss ad_username = 'user@addomain' sid = nss.getsidbyname(ad_username) # SID is properly returned print sid name = nss.getnamebysid(sid[ad_username]['sid']) # name is not returned print name
In logs you can see:
[sssd[nss]] [responder_get_domain_by_id] (0x0040): Unknown domain id [S-1-5-21-320631442-856505621-960413496-4728], checking for possible subdomains!
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.11 rhbz: => 0
owner: somebody => okos status: new => assigned
I worked on this ticket, and after discussing with michal and jakub, I'm suggesting to defer this.
This happens only with sssd configured as
id_provider = ldap ldap_schema = ad
when for LDAP the subdomains are not requested, so neither is the master SID. Therefore the SSSD doesn't see which domain should be connected to the SID lookup.[[BR]] When id_provider is set to AD, the domain SID is fetched with subdomains discovery during startup and the lookup then works.
So, since this works all right with id_provider=AD, there's no need to rush the fix and we should decide what should be the correct way to fix this, whether to fetch the SID from LDAP with first query, or to create reduced subdomains-like code for ldap, which would handle only the master domains.
summary: sss_nss_getnamebysid does not work for main domains => sss_nss_getnamebysid does not work with id_provider=ldap and ldap_schema=ad
milestone: SSSD 1.11 => NEEDS_TRIAGE
milestone: NEEDS_TRIAGE => SSSD 1.13 beta
In the meantime, we just fix the docs in ticket #2035
mark: => 0 priority: major => trivial sensitive: => 0
This would work if the SID is set manually.
resolution: => invalid status: assigned => closed
Metadata Update from @mzidek: - Issue assigned to okos - Issue set to the milestone: SSSD 1.14 beta
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3061
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.