On Thu, Feb 01, 2018 at 01:03:24PM -0800, Richard Sharpe wrote: > Hi folks, > > We have a customer who seems to do what RHEL does with respects users > and groups. > > That is: > > 1. User A has a SID of S-1-5-21-x-y-z-1234 > 2. They also have a primary group SID of S-1-5-21-x-y-x-1235 (usually > adjacent). > 3. They are also using RFC2703bis and they have the UID property set > to 21234 and the GID property set to 21234. > > Now, when the Samba idmap_sss.c calls sss_nss_getsidbyid looking for > the SID associated with the GID it often gets back the SID associated > with the UID, probably because we just asked for the SID associated > with the UID. > > Is there a different function I can call to get both/all? I looked at > the code for sss_nss_getsidbyid and it just calls sss_nss_getyyybyxxx > and that function seems to only hand back the first SID returned.
I'm sorry, I have to admit that this kind of setup didn't came to my mind when writing those calls. But yes, users and group are coming from different name spaces on the POSIX side and should be handled separately. Currently you can only do workarounds. E.g. if the group name differs from the user name you call getpwuid() and getgrgid() first and then sss_nss_getsidbyname(). But this would only work if the use names based on the samAccountName attribute from AD because iirc AD enforces uniqueness here. If they use a different attribute for the group names this might not work. As an alternative, but even more complicated you can make the SID available via D-Bus/InfoPipe and then lookup user and group by ID. So it looks like sss_nss_getsidbyuid() and sss_nss_getsidbygid() should be added to the interface. Would you mind to open a ticket about this on https://pagure.io/SSSD/sssd/new_issue or do you prefer me doing this? > > Also, as an aside, it seems like a bad decision to place fixed CERTs > in the repos because if you need to rebuild the package after the CERT > expires you are SOL. Yes, makeshift solutions have a long life. I already have a ticket to generate fresh certificates for each test run https://pagure.io/SSSD/sssd/issue/3436. But only two tests should be hit by the issue. So, in the worst case they can be disabled: +diff --git a/Makefile.am b/Makefile.am +index 5635a8c8fd681c4a17d003487e9ea440ab431407..c230d5e69320206778637ee3d30bedf9fe2e000a 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -273,11 +273,9 @@ if HAVE_CMOCKA + responder_cache_req-tests \ + test_sbus_opath \ + test_fo_srv \ +- pam-srv-tests \ + test_ipa_subdom_util \ + test_tools_colondb \ + test_krb5_wait_queue \ +- test_cert_utils \ + test_ldap_id_cleanup \ + test_data_provider_be \ + test_dp_request_table \ HTH bye, Sumit > > -- > Regards, > Richard Sharpe > (何以解憂？唯有杜康。--曹操) > _______________________________________________ > sssd-devel mailing list -- email@example.com > To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org _______________________________________________ sssd-devel mailing list -- firstname.lastname@example.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org