Red Hat Enterprise Linux Server release 7.3 ipa-server-4.4.0-14.el7_3.4.x86_64 389-ds-base-1.3.5.10-15.el7_3.x86_64 sssd-1.14.0-43.el7_3.11.x86_64
When looking at entries in the "cn=groups,cn=compat" tree, I noticed that the entries for windows groups have the realm portion of the group name in all caps. This is true for the comment, the dn and the cn. example: # domain users@WIN.MYDOMAIN.COM, groups, compat, ipa.mydomain.com dn: cn=domain users@WIN.MYDOMAIN.COM ,cn=groups,cn=compat,dc=ipa,dc=mydomain,dc=com memberUid: 123456@win.mydomain.com cn: domain users@WIN.MYDOMAIN.COM
When I look at the entries in the "cn=users,cn=compat" tree, the realm portion of the user name is all lower case. Incidentally, these same user names are also all lowercase in the "memberUid" option on the groups above. example: # 123456@win.mydomain.com, users, compat, ipa.mydomain.com dn: uid=123456@win.mydomain.com,cn=users,cn=compat,dc=ipa,dc=mydomain,dc=com homeDirectory: /home/win.mydomain.com/123456 uid: 123456@win.mydomain.com
Was this by design ?
The reason I ask, is that when I try to use the "kinit" feature on our Solaris 10 systems (which is joined to the IPA domain) for this windows user, I get an error.
[~]$ kinit Password for 123456@win.mydomain.com: kinit(v5): KDC reply did not match expectations while getting initial credentials
If I run it like this: [~]$ kinit 123456@WIN.MYDOMAIN.COM Password for 123456@WIN.MYDOMAIN.COM: [~]$ klist Ticket cache: FILE:/tmp/krb5cc_1683378846 Default principal: 123456@WIN.MYDOMAIN.COM
Valid starting Expires Service principal 05/30/17 11:44:35 05/30/17 21:44:40 krbtgt/ WIN.MYDOMAIN.COM@WIN.MYDOMAIN.COM renew until 06/06/17 11:44:35
I believe this is due to the fact that the Solaris 10 system is using the lowercase entry in the compat tree above. Here is the result of the ID command on this user: [~]$ id uid=1683378846(123456@win.mydomain.com) gid=1683378846( 123456@WIN.MYDOMAIN.COM)
I know this is a work around but I would prefer to make this easier on the end users. Any suggestions ?
Robert Johnson
On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote:
Red Hat Enterprise Linux Server release 7.3 ipa-server-4.4.0-14.el7_3.4.x86_64 389-ds-base-1.3.5.10-15.el7_3.x86_64 sssd-1.14.0-43.el7_3.11.x86_64
When looking at entries in the "cn=groups,cn=compat" tree, I noticed that the entries for windows groups have the realm portion of the group name in all caps. This is true for the comment, the dn and the cn. example: # domain users@WIN.MYDOMAIN.COM, groups, compat, ipa.mydomain.com dn: cn=domain users@WIN.MYDOMAIN.COM ,cn=groups,cn=compat,dc=ipa,dc=mydomain,dc=com memberUid: 123456@win.mydomain.com cn: domain users@WIN.MYDOMAIN.COM
When I look at the entries in the "cn=users,cn=compat" tree, the realm portion of the user name is all lower case. Incidentally, these same user names are also all lowercase in the "memberUid" option on the groups above. example: # 123456@win.mydomain.com, users, compat, ipa.mydomain.com dn: uid=123456@win.mydomain.com,cn=users,cn=compat,dc=ipa,dc=mydomain,dc=com homeDirectory: /home/win.mydomain.com/123456 uid: 123456@win.mydomain.com
Was this by design ?
Users and groups for AD users are inserted into the compat tree on demand, when a request comes mentioning them via LDAP query. The name is taken from the LDAP query.
So it is your application(s) that are asking fully qualified user/group names with domain part capitalized.
The reason I ask, is that when I try to use the "kinit" feature on our Solaris 10 systems (which is joined to the IPA domain) for this windows user, I get an error.
[~]$ kinit Password for 123456@win.mydomain.com: kinit(v5): KDC reply did not match expectations while getting initial credentials
If I run it like this: [~]$ kinit 123456@WIN.MYDOMAIN.COM Password for 123456@WIN.MYDOMAIN.COM: [~]$ klist Ticket cache: FILE:/tmp/krb5cc_1683378846 Default principal: 123456@WIN.MYDOMAIN.COM
Valid starting Expires Service principal 05/30/17 11:44:35 05/30/17 21:44:40 krbtgt/ WIN.MYDOMAIN.COM@WIN.MYDOMAIN.COM renew until 06/06/17 11:44:35
I believe this is due to the fact that the Solaris 10 system is using the lowercase entry in the compat tree above. Here is the result of the ID command on this user: [~]$ id uid=1683378846(123456@win.mydomain.com) gid=1683378846( 123456@WIN.MYDOMAIN.COM)
I know this is a work around but I would prefer to make this easier on the end users. Any suggestions ?
You mix up Kerberos principals and user identities. They are different. In Kerberos protocol realm is case-sensitive. WIN.MYDOMAIN.COM is not the same realm as win.mydomain.com. On Active Directory side this is hidden behind the Windows UI facade but on UNIX systems Kerberos libraries aren't hiding this fact.
That's why you get "KDC reply did not match expectations .." error message -- a realm name is used as part of Kerberos exchange and it is expected to be all upper cases.
On identity front you have probably configured your Solaris systems to look up identities with upper cased fqdn and compat tree plugin inserts those as it is. I certainly don't see this behavior with other systems.
So I took a brand new user that I have never used in the system before (I checked that the entry was not in the compat tree) and just ran an "id" command on Solaris system. I then looked in the /var/log/dirsrv/slapd-<ipa domain>/access log file on the ipa server, for the query and from the log file, the query came in as all caps.
example: [~]$: id 831413@WIN.MYDOMIN.COM
[~]$: cat /var/log/dirsrv/slapd-<ipa domain>/access |grep 831413 [30/May/2017:13:34:38.637498942 -0400] conn=94124 op=622 SRCH base="cn=users,cn=compat,dc=ipa,dc=mydomain,dc=com" scope=1 filter="(&(objectClass=posixAccount)(uid=831413@WIN.MYDOMIN.COM))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell" [30/May/2017:13:34:38.651811322 -0400] conn=94124 op=622 RESULT err=0 tag=101 nentries=1 etime=0
However, the entry in the compat tree is all lowercase just like I reported. I can reproduce this easily.
Robert Johnson
On Tue, May 30, 2017 at 1:10 PM, Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote:
Red Hat Enterprise Linux Server release 7.3 ipa-server-4.4.0-14.el7_3.4.x86_64 389-ds-base-1.3.5.10-15.el7_3.x86_64 sssd-1.14.0-43.el7_3.11.x86_64
When looking at entries in the "cn=groups,cn=compat" tree, I noticed that the entries for windows groups have the realm portion of the group name in all caps. This is true for the comment, the dn and the cn. example: # domain users@WIN.MYDOMAIN.COM, groups, compat, ipa.mydomain.com dn: cn=domain users@WIN.MYDOMAIN.COM ,cn=groups,cn=compat,dc=ipa,dc=mydomain,dc=com memberUid: 123456@win.mydomain.com cn: domain users@WIN.MYDOMAIN.COM
When I look at the entries in the "cn=users,cn=compat" tree, the realm portion of the user name is all lower case. Incidentally, these same user names are also all lowercase in the "memberUid" option on the groups above. example: # 123456@win.mydomain.com, users, compat, ipa.mydomain.com dn: uid=123456@win.mydomain.com,cn=users,cn=compat,dc=ipa,dc=myd omain,dc=com homeDirectory: /home/win.mydomain.com/123456 uid: 123456@win.mydomain.com
Was this by design ?
Users and groups for AD users are inserted into the compat tree on demand, when a request comes mentioning them via LDAP query. The name is taken from the LDAP query.
So it is your application(s) that are asking fully qualified user/group names with domain part capitalized.
The reason I ask, is that when I try to use the "kinit" feature on our
Solaris 10 systems (which is joined to the IPA domain) for this windows user, I get an error.
[~]$ kinit Password for 123456@win.mydomain.com: kinit(v5): KDC reply did not match expectations while getting initial credentials
If I run it like this: [~]$ kinit 123456@WIN.MYDOMAIN.COM Password for 123456@WIN.MYDOMAIN.COM: [~]$ klist Ticket cache: FILE:/tmp/krb5cc_1683378846 Default principal: 123456@WIN.MYDOMAIN.COM
Valid starting Expires Service principal 05/30/17 11:44:35 05/30/17 21:44:40 krbtgt/ WIN.MYDOMAIN.COM@WIN.MYDOMAIN.COM renew until 06/06/17 11:44:35
I believe this is due to the fact that the Solaris 10 system is using the lowercase entry in the compat tree above. Here is the result of the ID command on this user: [~]$ id uid=1683378846(123456@win.mydomain.com) gid=1683378846( 123456@WIN.MYDOMAIN.COM)
I know this is a work around but I would prefer to make this easier on the end users. Any suggestions ?
You mix up Kerberos principals and user identities. They are different. In Kerberos protocol realm is case-sensitive. WIN.MYDOMAIN.COM is not the same realm as win.mydomain.com. On Active Directory side this is hidden behind the Windows UI facade but on UNIX systems Kerberos libraries aren't hiding this fact.
That's why you get "KDC reply did not match expectations .." error message -- a realm name is used as part of Kerberos exchange and it is expected to be all upper cases.
On identity front you have probably configured your Solaris systems to look up identities with upper cased fqdn and compat tree plugin inserts those as it is. I certainly don't see this behavior with other systems.
-- / Alexander Bokovoy
On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote:
So I took a brand new user that I have never used in the system before (I checked that the entry was not in the compat tree) and just ran an "id" command on Solaris system. I then looked in the /var/log/dirsrv/slapd-<ipa domain>/access log file on the ipa server, for the query and from the log file, the query came in as all caps.
example: [~]$: id 831413@WIN.MYDOMIN.COM
[~]$: cat /var/log/dirsrv/slapd-<ipa domain>/access |grep 831413 [30/May/2017:13:34:38.637498942 -0400] conn=94124 op=622 SRCH base="cn=users,cn=compat,dc=ipa,dc=mydomain,dc=com" scope=1 filter="(&(objectClass=posixAccount)(uid=831413@WIN.MYDOMIN.COM))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell" [30/May/2017:13:34:38.651811322 -0400] conn=94124 op=622 RESULT err=0 tag=101 nentries=1 etime=0
However, the entry in the compat tree is all lowercase just like I reported. I can reproduce this easily.
memberUid value comes from SSSD look up. SSSD normalizes all names to low case.
For group names, I'm not sure they are normalized, though.
Robert Johnson
On Tue, May 30, 2017 at 1:10 PM, Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote:
Red Hat Enterprise Linux Server release 7.3 ipa-server-4.4.0-14.el7_3.4.x86_64 389-ds-base-1.3.5.10-15.el7_3.x86_64 sssd-1.14.0-43.el7_3.11.x86_64
When looking at entries in the "cn=groups,cn=compat" tree, I noticed that the entries for windows groups have the realm portion of the group name in all caps. This is true for the comment, the dn and the cn. example: # domain users@WIN.MYDOMAIN.COM, groups, compat, ipa.mydomain.com dn: cn=domain users@WIN.MYDOMAIN.COM ,cn=groups,cn=compat,dc=ipa,dc=mydomain,dc=com memberUid: 123456@win.mydomain.com cn: domain users@WIN.MYDOMAIN.COM
When I look at the entries in the "cn=users,cn=compat" tree, the realm portion of the user name is all lower case. Incidentally, these same user names are also all lowercase in the "memberUid" option on the groups above. example: # 123456@win.mydomain.com, users, compat, ipa.mydomain.com dn: uid=123456@win.mydomain.com,cn=users,cn=compat,dc=ipa,dc=myd omain,dc=com homeDirectory: /home/win.mydomain.com/123456 uid: 123456@win.mydomain.com
Was this by design ?
Users and groups for AD users are inserted into the compat tree on demand, when a request comes mentioning them via LDAP query. The name is taken from the LDAP query.
So it is your application(s) that are asking fully qualified user/group names with domain part capitalized.
The reason I ask, is that when I try to use the "kinit" feature on our
Solaris 10 systems (which is joined to the IPA domain) for this windows user, I get an error.
[~]$ kinit Password for 123456@win.mydomain.com: kinit(v5): KDC reply did not match expectations while getting initial credentials
If I run it like this: [~]$ kinit 123456@WIN.MYDOMAIN.COM Password for 123456@WIN.MYDOMAIN.COM: [~]$ klist Ticket cache: FILE:/tmp/krb5cc_1683378846 Default principal: 123456@WIN.MYDOMAIN.COM
Valid starting Expires Service principal 05/30/17 11:44:35 05/30/17 21:44:40 krbtgt/ WIN.MYDOMAIN.COM@WIN.MYDOMAIN.COM renew until 06/06/17 11:44:35
I believe this is due to the fact that the Solaris 10 system is using the lowercase entry in the compat tree above. Here is the result of the ID command on this user: [~]$ id uid=1683378846(123456@win.mydomain.com) gid=1683378846( 123456@WIN.MYDOMAIN.COM)
I know this is a work around but I would prefer to make this easier on the end users. Any suggestions ?
You mix up Kerberos principals and user identities. They are different. In Kerberos protocol realm is case-sensitive. WIN.MYDOMAIN.COM is not the same realm as win.mydomain.com. On Active Directory side this is hidden behind the Windows UI facade but on UNIX systems Kerberos libraries aren't hiding this fact.
That's why you get "KDC reply did not match expectations .." error message -- a realm name is used as part of Kerberos exchange and it is expected to be all upper cases.
On identity front you have probably configured your Solaris systems to look up identities with upper cased fqdn and compat tree plugin inserts those as it is. I certainly don't see this behavior with other systems.
-- / Alexander Bokovoy
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Is there a option in SSSD or the plugin to turn off the normalization ?
On Tue, May 30, 2017 at 2:27 PM, Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote:
So I took a brand new user that I have never used in the system before (I checked that the entry was not in the compat tree) and just ran an "id" command on Solaris system. I then looked in the /var/log/dirsrv/slapd-<ipa domain>/access log file on the ipa server, for the query and from the log file, the query came in as all caps.
example: [~]$: id 831413@WIN.MYDOMIN.COM
[~]$: cat /var/log/dirsrv/slapd-<ipa domain>/access |grep 831413 [30/May/2017:13:34:38.637498942 -0400] conn=94124 op=622 SRCH base="cn=users,cn=compat,dc=ipa,dc=mydomain,dc=com" scope=1 filter="(&(objectClass=posixAccount)(uid=831413@WIN.MYDOMIN.COM))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell" [30/May/2017:13:34:38.651811322 -0400] conn=94124 op=622 RESULT err=0 tag=101 nentries=1 etime=0
However, the entry in the compat tree is all lowercase just like I reported. I can reproduce this easily.
memberUid value comes from SSSD look up. SSSD normalizes all names to low case.
For group names, I'm not sure they are normalized, though.
Robert Johnson
On Tue, May 30, 2017 at 1:10 PM, Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote:
Red Hat Enterprise Linux Server release 7.3
ipa-server-4.4.0-14.el7_3.4.x86_64 389-ds-base-1.3.5.10-15.el7_3.x86_64 sssd-1.14.0-43.el7_3.11.x86_64
When looking at entries in the "cn=groups,cn=compat" tree, I noticed that the entries for windows groups have the realm portion of the group name in all caps. This is true for the comment, the dn and the cn. example: # domain users@WIN.MYDOMAIN.COM, groups, compat, ipa.mydomain.com dn: cn=domain users@WIN.MYDOMAIN.COM ,cn=groups,cn=compat,dc=ipa,dc=mydomain,dc=com memberUid: 123456@win.mydomain.com cn: domain users@WIN.MYDOMAIN.COM
When I look at the entries in the "cn=users,cn=compat" tree, the realm portion of the user name is all lower case. Incidentally, these same user names are also all lowercase in the "memberUid" option on the groups above. example: # 123456@win.mydomain.com, users, compat, ipa.mydomain.com dn: uid=123456@win.mydomain.com,cn=users,cn=compat,dc=ipa,dc=myd omain,dc=com homeDirectory: /home/win.mydomain.com/123456 uid: 123456@win.mydomain.com
Was this by design ?
Users and groups for AD users are inserted into the compat tree on
demand, when a request comes mentioning them via LDAP query. The name is taken from the LDAP query.
So it is your application(s) that are asking fully qualified user/group names with domain part capitalized.
The reason I ask, is that when I try to use the "kinit" feature on our
Solaris 10 systems (which is joined to the IPA domain) for this windows user, I get an error.
[~]$ kinit Password for 123456@win.mydomain.com: kinit(v5): KDC reply did not match expectations while getting initial credentials
If I run it like this: [~]$ kinit 123456@WIN.MYDOMAIN.COM Password for 123456@WIN.MYDOMAIN.COM: [~]$ klist Ticket cache: FILE:/tmp/krb5cc_1683378846 Default principal: 123456@WIN.MYDOMAIN.COM
Valid starting Expires Service principal 05/30/17 11:44:35 05/30/17 21:44:40 krbtgt/ WIN.MYDOMAIN.COM@WIN.MYDOMAIN.COM renew until 06/06/17 11:44:35
I believe this is due to the fact that the Solaris 10 system is using the lowercase entry in the compat tree above. Here is the result of the ID command on this user: [~]$ id uid=1683378846(123456@win.mydomain.com) gid=1683378846( 123456@WIN.MYDOMAIN.COM)
I know this is a work around but I would prefer to make this easier on the end users. Any suggestions ?
You mix up Kerberos principals and user identities. They are different.
In Kerberos protocol realm is case-sensitive. WIN.MYDOMAIN.COM is not the same realm as win.mydomain.com. On Active Directory side this is hidden behind the Windows UI facade but on UNIX systems Kerberos libraries aren't hiding this fact.
That's why you get "KDC reply did not match expectations .." error message -- a realm name is used as part of Kerberos exchange and it is expected to be all upper cases.
On identity front you have probably configured your Solaris systems to look up identities with upper cased fqdn and compat tree plugin inserts those as it is. I certainly don't see this behavior with other systems.
-- / Alexander Bokovoy
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- / Alexander Bokovoy
On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote:
Is there a option in SSSD or the plugin to turn off the normalization ?
No. But as I said, you are not supposed to use all capital fqdn. You need to use your user/group name as it is.
id user@ad.realm
kinit user@AD.REALM
are two different names -- the former is user name in POSIX and it is case sensitive to the operating system but is case-insensitive in LDAP. The latter is Kerberos principal which is case sensitive to Kerberos KDC.
In LDAP 'uid' attribute is compared case-sensitive, 'cn' attribute is case-insensitive. For 'uid' we add a secondary value from SSSD (normalized) if it is different from the original in request because case-normalized searches wouldn't work otherwise. For 'cn' we don't change anything because 'cn' comparison syntax in LDAP is case-insensitive.
On Tue, May 30, 2017 at 2:27 PM, Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote:
So I took a brand new user that I have never used in the system before (I checked that the entry was not in the compat tree) and just ran an "id" command on Solaris system. I then looked in the /var/log/dirsrv/slapd-<ipa domain>/access log file on the ipa server, for the query and from the log file, the query came in as all caps.
example: [~]$: id 831413@WIN.MYDOMIN.COM
[~]$: cat /var/log/dirsrv/slapd-<ipa domain>/access |grep 831413 [30/May/2017:13:34:38.637498942 -0400] conn=94124 op=622 SRCH base="cn=users,cn=compat,dc=ipa,dc=mydomain,dc=com" scope=1 filter="(&(objectClass=posixAccount)(uid=831413@WIN.MYDOMIN.COM))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell" [30/May/2017:13:34:38.651811322 -0400] conn=94124 op=622 RESULT err=0 tag=101 nentries=1 etime=0
However, the entry in the compat tree is all lowercase just like I reported. I can reproduce this easily.
memberUid value comes from SSSD look up. SSSD normalizes all names to low case.
For group names, I'm not sure they are normalized, though.
Robert Johnson
On Tue, May 30, 2017 at 1:10 PM, Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote:
Red Hat Enterprise Linux Server release 7.3
ipa-server-4.4.0-14.el7_3.4.x86_64 389-ds-base-1.3.5.10-15.el7_3.x86_64 sssd-1.14.0-43.el7_3.11.x86_64
When looking at entries in the "cn=groups,cn=compat" tree, I noticed that the entries for windows groups have the realm portion of the group name in all caps. This is true for the comment, the dn and the cn. example: # domain users@WIN.MYDOMAIN.COM, groups, compat, ipa.mydomain.com dn: cn=domain users@WIN.MYDOMAIN.COM ,cn=groups,cn=compat,dc=ipa,dc=mydomain,dc=com memberUid: 123456@win.mydomain.com cn: domain users@WIN.MYDOMAIN.COM
When I look at the entries in the "cn=users,cn=compat" tree, the realm portion of the user name is all lower case. Incidentally, these same user names are also all lowercase in the "memberUid" option on the groups above. example: # 123456@win.mydomain.com, users, compat, ipa.mydomain.com dn: uid=123456@win.mydomain.com,cn=users,cn=compat,dc=ipa,dc=myd omain,dc=com homeDirectory: /home/win.mydomain.com/123456 uid: 123456@win.mydomain.com
Was this by design ?
Users and groups for AD users are inserted into the compat tree on
demand, when a request comes mentioning them via LDAP query. The name is taken from the LDAP query.
So it is your application(s) that are asking fully qualified user/group names with domain part capitalized.
The reason I ask, is that when I try to use the "kinit" feature on our
Solaris 10 systems (which is joined to the IPA domain) for this windows user, I get an error.
[~]$ kinit Password for 123456@win.mydomain.com: kinit(v5): KDC reply did not match expectations while getting initial credentials
If I run it like this: [~]$ kinit 123456@WIN.MYDOMAIN.COM Password for 123456@WIN.MYDOMAIN.COM: [~]$ klist Ticket cache: FILE:/tmp/krb5cc_1683378846 Default principal: 123456@WIN.MYDOMAIN.COM
Valid starting Expires Service principal 05/30/17 11:44:35 05/30/17 21:44:40 krbtgt/ WIN.MYDOMAIN.COM@WIN.MYDOMAIN.COM renew until 06/06/17 11:44:35
I believe this is due to the fact that the Solaris 10 system is using the lowercase entry in the compat tree above. Here is the result of the ID command on this user: [~]$ id uid=1683378846(123456@win.mydomain.com) gid=1683378846( 123456@WIN.MYDOMAIN.COM)
I know this is a work around but I would prefer to make this easier on the end users. Any suggestions ?
You mix up Kerberos principals and user identities. They are different.
In Kerberos protocol realm is case-sensitive. WIN.MYDOMAIN.COM is not the same realm as win.mydomain.com. On Active Directory side this is hidden behind the Windows UI facade but on UNIX systems Kerberos libraries aren't hiding this fact.
That's why you get "KDC reply did not match expectations .." error message -- a realm name is used as part of Kerberos exchange and it is expected to be all upper cases.
On identity front you have probably configured your Solaris systems to look up identities with upper cased fqdn and compat tree plugin inserts those as it is. I certainly don't see this behavior with other systems.
-- / Alexander Bokovoy
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
-- / Alexander Bokovoy
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Tue, May 30, 2017 at 09:27:05PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote:
So I took a brand new user that I have never used in the system before (I checked that the entry was not in the compat tree) and just ran an "id" command on Solaris system. I then looked in the /var/log/dirsrv/slapd-<ipa domain>/access log file on the ipa server, for the query and from the log file, the query came in as all caps.
example: [~]$: id 831413@WIN.MYDOMIN.COM
[~]$: cat /var/log/dirsrv/slapd-<ipa domain>/access |grep 831413 [30/May/2017:13:34:38.637498942 -0400] conn=94124 op=622 SRCH base="cn=users,cn=compat,dc=ipa,dc=mydomain,dc=com" scope=1 filter="(&(objectClass=posixAccount)(uid=831413@WIN.MYDOMIN.COM))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell" [30/May/2017:13:34:38.651811322 -0400] conn=94124 op=622 RESULT err=0 tag=101 nentries=1 etime=0
However, the entry in the compat tree is all lowercase just like I reported. I can reproduce this easily.
memberUid value comes from SSSD look up. SSSD normalizes all names to low case.
For group names, I'm not sure they are normalized, though.
with id_provider=ad (which is what is running under the hood of the sssd-on-idm-masters) everything should be normalized and there shouldn't even be an option to turn the normalization off.
freeipa-users@lists.fedorahosted.org