On Thu, Mar 09, 2017 at 11:32:35AM +0200, Alexander Bokovoy wrote: > On to, 09 maalis 2017, Jakub Hrozek wrote: > > On Thu, Mar 09, 2017 at 01:37:46PM +1100, Lachlan Musicman wrote: > > > Hola, > > > > > > On CentOS 7.3, using FreeIPA VERSION: 4.4.0, API_VERSION: 2.213 and sssd > > > (via COPR) 1.15.1, which has a one way trust to an AD domain. > > > unix.name.org > > > -> name.org > > > > > > I've seen some interesting behaviour. > > > > > > Being part of a large organisation with a smaller nix environment and a > > > larger Windows environment we see all the best of odd AD management > > > behaviour (eg spaces in usernames...). > > > > > > Turns out some of the groups in AD have an @ symbol in them. > > > > > > The behavioural difference we see is: given userA in group "name @ of > > > group" that on the FreeIPA server: > > > > > > [r...@vmpr-freeipa.unix.name.org ~]# id us...@name.org > > > > > > works as expected. > > > > > > But on a client > > > > > > [r...@vmpr-linuxclient1.unix.name.org ~]# id us...@name.org > > > > > > returns nothing. > > > > Yes, it is a know issue: > > https://pagure.io/SSSD/sssd/issue/3219 > > > > There were some users who reported this works better with a modified > > re_expression: > > re_expression = ((?P<name>.+)@(?P<domain>[^@]+$)) > > but I agree we should fix this by default. However, the fix must be done > > at both the SSSD level and the IPA extdom plugin, which also searches > > for the @-sign in the user and group names. > Luckily, a change for extdom plugin seem to be straightforward -- search > for the *last* occurence of the domain separator, not the first one. We > had a similar issue with nfs idmapd code too.
Yes, the most tricky part would be testing, to make sure the new regular expression doesn't break anything. I used the one I showed to unblock some RHEL customers that were complaining and were a bit stuck, but I didn't have enough time to run all our available tests with it, that's why we didn't switch by default.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project