AD provider uses wrong user attribute? - sssd-users - Fedora Mailing-Lists

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

AD provider uses wrong user attribute?

SSSD with id_provider ldap and...

RE: sssd access to server with...

Ondrej Valousek

Friday, 1 November 2013 Fri, 1 Nov '13

4:36 a.m.

Hi List, Looks like the AD provider in sssd honors sAMAccountname attribute instead of the 'uid' (which is more in line with the RFC2307). Is this intentional or a bug? Thanks, Ondrej

Attachments:

attachment.html (text/html — 538 bytes)

Reply

Show replies by date

Jakub Hrozek

Friday, 1 November Fri, 1 Nov

4:52 a.m.

On Fri, Nov 01, 2013 at 09:36:05AM +0000, Ondrej Valousek wrote:

Hi List, Looks like the AD provider in sssd honors sAMAccountname attribute instead of the 'uid' (which is more in line with the RFC2307). Is this intentional or a bug? Thanks, Ondrej

Intentional, is UID guaranteed to be there in all setups even if RFC2307 attributes are not present on the AD side?

Reply

Ondrej Valousek

5 a.m.

Yes it is guaranteed to be there (or we can safely assume so) if we use Ldap_id_mapping = False -----Original Message----- From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: Friday, November 01, 2013 10:52 AM To: sssd-users(a)lists.fedorahosted.org Subject: Re: [SSSD-users] AD provider uses wrong user attribute? On Fri, Nov 01, 2013 at 09:36:05AM +0000, Ondrej Valousek wrote:

Hi List, Looks like the AD provider in sssd honors sAMAccountname attribute instead of the 'uid' (which is more in line with the RFC2307). Is this intentional or a bug? Thanks, Ondrej

Intentional, is UID guaranteed to be there in all setups even if RFC2307 attributes are not present on the AD side? _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Reply

Rowland Penny

5:13 a.m.

On 01/11/13 10:00, Ondrej Valousek wrote:

Yes it is guaranteed to be there (or we can safely assume so) if we use Ldap_id_mapping = False -----Original Message----- From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: Friday, November 01, 2013 10:52 AM To: sssd-users(a)lists.fedorahosted.org Subject: Re: [SSSD-users] AD provider uses wrong user attribute? On Fri, Nov 01, 2013 at 09:36:05AM +0000, Ondrej Valousek wrote: > Hi List, > > Looks like the AD provider in sssd honors sAMAccountname attribute instead of the 'uid' (which is more in line with the RFC2307). > Is this intentional or a bug? > > Thanks, > Ondrej Intentional, is UID guaranteed to be there in all setups even if RFC2307 attributes are not present on the AD side? _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users

I wouldn't like to bet on 'uid' being there on Samba4 AD if the user is created with samba-tool, 'uid' is an optional attribute. Rowland

Reply

Ondrej Valousek

6:21 a.m.

In ADUC, if you tick on User "Unix attributes" and populate it, uid is automatically set on. Not sure if Samba even populates RFC attributes - guess you need to use ldap_id_mapping=true w/ Samba. Ondrej -----Original Message----- From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Rowland Penny Sent: Friday, November 01, 2013 11:13 AM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] AD provider uses wrong user attribute? On 01/11/13 10:00, Ondrej Valousek wrote:

Yes it is guaranteed to be there (or we can safely assume so) if we use Ldap_id_mapping = False -----Original Message----- From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: Friday, November 01, 2013 10:52 AM To: sssd-users(a)lists.fedorahosted.org Subject: Re: [SSSD-users] AD provider uses wrong user attribute? On Fri, Nov 01, 2013 at 09:36:05AM +0000, Ondrej Valousek wrote: > Hi List, > > Looks like the AD provider in sssd honors sAMAccountname attribute instead of the 'uid' (which is more in line with the RFC2307). > Is this intentional or a bug? > > Thanks, > Ondrej Intentional, is UID guaranteed to be there in all setups even if RFC2307 attributes are not present on the AD side? _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users

I wouldn't like to bet on 'uid' being there on Samba4 AD if the user is created with samba-tool, 'uid' is an optional attribute. Rowland _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Reply

Rowland Penny

7:09 a.m.

On 01/11/13 11:21, Ondrej Valousek wrote:

In ADUC, if you tick on User "Unix attributes" and populate it, uid is automatically set on. Not sure if Samba even populates RFC attributes - guess you need to use ldap_id_mapping=true w/ Samba. Ondrej -----Original Message----- From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Rowland Penny Sent: Friday, November 01, 2013 11:13 AM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] AD provider uses wrong user attribute? On 01/11/13 10:00, Ondrej Valousek wrote: > Yes it is guaranteed to be there (or we can safely assume so) if we > use Ldap_id_mapping = False > > > -----Original Message----- > From: sssd-users-bounces(a)lists.fedorahosted.org > [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub > Hrozek > Sent: Friday, November 01, 2013 10:52 AM > To: sssd-users(a)lists.fedorahosted.org > Subject: Re: [SSSD-users] AD provider uses wrong user attribute? > > On Fri, Nov 01, 2013 at 09:36:05AM +0000, Ondrej Valousek wrote: >> Hi List, >> >> Looks like the AD provider in sssd honors sAMAccountname attribute instead of the 'uid' (which is more in line with the RFC2307). >> Is this intentional or a bug? >> >> Thanks, >> Ondrej > Intentional, is UID guaranteed to be there in all setups even if RFC2307 attributes are not present on the AD side? > _______________________________________________ > sssd-users mailing list > sssd-users(a)lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > _______________________________________________ > sssd-users mailing list > sssd-users(a)lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-users I wouldn't like to bet on 'uid' being there on Samba4 AD if the user is created with samba-tool, 'uid' is an optional attribute. Rowland _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users

With samba-tool you have to add the RFC2307 attributes separately and even then it does not work just like ADUC, for instance, samba4 does not have ' msSFU30MaxUidNumber' or 'msSFU30MaxGidNumber' attributes and samba-tool adds the posixAccount & posixGroup objectClasses that ADUC doesn't. Rowland

Reply

Ondrej Valousek

7:40 a.m.

Understood, but it is not important. Both directories (AD & Samba) do know about the uid attribute & RFC3207 dictates its usage so: 1. If samba-tool does not populate it, then it is a bug in Samba which should be fixed 2. If sssd does not honor this attribute when running in RFC2307 compatibility mode, then it is a bug and should be fixed as well Ondrej -----Original Message----- From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Rowland Penny Sent: Friday, November 01, 2013 1:09 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] AD provider uses wrong user attribute? On 01/11/13 11:21, Ondrej Valousek wrote:

In ADUC, if you tick on User "Unix attributes" and populate it, uid is automatically set on. Not sure if Samba even populates RFC attributes - guess you need to use ldap_id_mapping=true w/ Samba. Ondrej -----Original Message----- From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Rowland Penny Sent: Friday, November 01, 2013 11:13 AM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] AD provider uses wrong user attribute? On 01/11/13 10:00, Ondrej Valousek wrote: > Yes it is guaranteed to be there (or we can safely assume so) if we > use Ldap_id_mapping = False > > > -----Original Message----- > From: sssd-users-bounces(a)lists.fedorahosted.org > [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub > Hrozek > Sent: Friday, November 01, 2013 10:52 AM > To: sssd-users(a)lists.fedorahosted.org > Subject: Re: [SSSD-users] AD provider uses wrong user attribute? > > On Fri, Nov 01, 2013 at 09:36:05AM +0000, Ondrej Valousek wrote: >> Hi List, >> >> Looks like the AD provider in sssd honors sAMAccountname attribute instead of the 'uid' (which is more in line with the RFC2307). >> Is this intentional or a bug? >> >> Thanks, >> Ondrej > Intentional, is UID guaranteed to be there in all setups even if RFC2307 attributes are not present on the AD side? > _______________________________________________ > sssd-users mailing list > sssd-users(a)lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > _______________________________________________ > sssd-users mailing list > sssd-users(a)lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-users I wouldn't like to bet on 'uid' being there on Samba4 AD if the user is created with samba-tool, 'uid' is an optional attribute. Rowland _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users

With samba-tool you have to add the RFC2307 attributes separately and even then it does not work just like ADUC, for instance, samba4 does not have ' msSFU30MaxUidNumber' or 'msSFU30MaxGidNumber' attributes and samba-tool adds the posixAccount & posixGroup objectClasses that ADUC doesn't. Rowland _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Reply

Michael Ströder

9:32 a.m.

Ondrej Valousek wrote:

Both directories (AD & Samba) do know about the uid attribute & RFC3207 dictates its usage so:

Most AD deployments of my customers have empty 'uid' attribute. Changing this in enterprises with hundreds of domain controllers is a large change involving discussion in various management boards. => use sAMAccountName as default with AD provider is recommended. Ciao, Michael.

Reply

Ondrej Valousek

10:13 a.m.

Right, are you using RCF2307 at all then? If yes, how did they populate those attributes? AFAIK most admins do not know/care about RFC2307 so they leave sssd to do its mapping... O. ________________________________________ From: sssd-users-bounces(a)lists.fedorahosted.org [sssd-users-bounces(a)lists.fedorahosted.org] on behalf of Michael Ströder [michael(a)stroeder.com] Sent: Friday, November 01, 2013 3:32 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] AD provider uses wrong user attribute? Ondrej Valousek wrote:

Both directories (AD & Samba) do know about the uid attribute & RFC3207 dictates its usage so:

Most AD deployments of my customers have empty 'uid' attribute. Changing this in enterprises with hundreds of domain controllers is a large change involving discussion in various management boards. => use sAMAccountName as default with AD provider is recommended. Ciao, Michael.

Reply

Jakub Hrozek

7:44 a.m.

On Fri, Nov 01, 2013 at 11:21:10AM +0000, Ondrej Valousek wrote:

In ADUC, if you tick on User "Unix attributes" and populate it, uid is automatically set on. Not sure if Samba even populates RFC attributes - guess you need to use ldap_id_mapping=true w/ Samba. Ondrej

But using UNIX attributes is optional with the AD provider, the AD provider must work well with defaults. I think you can override the attribute with ldap_user_name config option instead.

Reply

Ondrej Valousek

7:51 a.m.

But the whole set of the RFC2307 attributes in AD are optional, right? What I am saying is, that IF an administrator decides to make an use of those, we should honore the whole set, nut just a few of these. Another use case: In AD you can not have a user and group with the same name (i.e. sAMAccountname). In Unix you can. If sssd honored uid by default, you could workaround this AD restriction by manually specifying uid (ADUC sets it to sAMAcountname value) Ondrej -----Original Message----- From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: Friday, November 01, 2013 1:45 PM To: sssd-users(a)lists.fedorahosted.org Subject: Re: [SSSD-users] AD provider uses wrong user attribute? On Fri, Nov 01, 2013 at 11:21:10AM +0000, Ondrej Valousek wrote:

In ADUC, if you tick on User "Unix attributes" and populate it, uid is automatically set on. Not sure if Samba even populates RFC attributes - guess you need to use ldap_id_mapping=true w/ Samba. Ondrej

But using UNIX attributes is optional with the AD provider, the AD provider must work well with defaults. I think you can override the attribute with ldap_user_name config option instead. _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Reply

3826

days inactive

3826

days old

sssd-users@lists.fedorahosted.org

Manage subscription

10 comments

4 participants

tags (0)

participants (4)

Jakub Hrozek
Michael Ströder
Ondrej Valousek
Rowland Penny