On Thu, Feb 01, 2018 at 01:03:24PM -0800, Richard Sharpe wrote:
> Hi folks,
> We have a customer who seems to do what RHEL does with respects users
> and groups.
> That is:
> 1. User A has a SID of S-1-5-21-x-y-z-1234
> 2. They also have a primary group SID of S-1-5-21-x-y-x-1235 (usually 
> adjacent).
> 3. They are also using RFC2703bis and they have the UID property set
> to 21234 and the GID property set to 21234.
> Now, when the Samba idmap_sss.c calls sss_nss_getsidbyid looking for
> the SID associated with the GID it often gets back the SID associated
> with the UID, probably because we just asked for the SID associated
> with the UID.
> Is there a different function I can call to get both/all? I looked at
> the code for sss_nss_getsidbyid and it just calls sss_nss_getyyybyxxx
> and that function seems to only hand back the first SID returned.

I'm sorry, I have to admit that this kind of setup didn't came to my
mind when writing those calls. But yes, users and group are coming from
different name spaces on the POSIX side and should be handled

Currently you can only do workarounds. E.g. if the group name differs
from the user name you call getpwuid() and getgrgid() first and then
sss_nss_getsidbyname(). But this would only work if the use names based
on the samAccountName attribute from AD because iirc AD enforces
uniqueness here. If they use a different attribute for the group names
this might not work.

As an alternative, but even more complicated you can make the SID
available via D-Bus/InfoPipe and then lookup user and group by ID.

So it looks like sss_nss_getsidbyuid() and sss_nss_getsidbygid() should
be added to the interface. Would you mind to open a ticket about this on
https://pagure.io/SSSD/sssd/new_issue or do you prefer me doing this?

> Also, as an aside, it seems like a bad decision to place fixed CERTs
> in the repos because if you need to rebuild the package after the CERT
> expires you are SOL.

Yes, makeshift solutions have a long life. I already have a ticket to
generate fresh certificates for each test run
https://pagure.io/SSSD/sssd/issue/3436. But only two tests should be hit
by the issue. So, in the worst case they can be disabled:

+diff --git a/Makefile.am b/Makefile.am
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -273,11 +273,9 @@ if HAVE_CMOCKA
+         responder_cache_req-tests \
+         test_sbus_opath \
+         test_fo_srv \
+-        pam-srv-tests \
+         test_ipa_subdom_util \
+         test_tools_colondb \
+         test_krb5_wait_queue \
+-        test_cert_utils \
+         test_ldap_id_cleanup \
+         test_data_provider_be \
+         test_dp_request_table \



> -- 
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
> _______________________________________________
> sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
> To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to