On Fri, Jun 26, 2015 at 09:12:53PM -0400, Dmitri Pal wrote: > On 05/18/2015 06:16 AM, Andy Thompson wrote: > >>-----Original Message----- > >>From: Jakub Hrozek [mailto:[email protected]] > >>Sent: Monday, May 18, 2015 4:07 AM > >>To: Andy Thompson > >>Cc: [email protected] > >>Subject: Re: [Freeipa-users] username case sensitivity > >> > >>On Sun, May 17, 2015 at 10:26:45PM +0000, Andy Thompson wrote: > >>>>-----Original Message----- > >>>>From: [email protected] [mailto:freeipa-users- > >>>>[email protected]] On Behalf Of Jakub Hrozek > >>>>Sent: Sunday, May 17, 2015 5:23 PM > >>>>To: [email protected] > >>>>Subject: Re: [Freeipa-users] username case sensitivity > >>>> > >>>>On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote: > >>>>>On (15/05/15 17:27), Andy Thompson wrote: > >>>>>>Is there a way to enforce case sensitivity for trusted AD users? > >>>>>>I am > >>>>>trying to use username for ssh chroots and I can authenticated > >>>>>with any case combination of <UsERname> but if ssh is set to match > >>>>>on <username> then the chroot is not enforced and the user is > >>>>>dropped to their usual home directory. I found a case_sensitive > >>>>>option for sssd but it > >>>>does not > >>>>>seem to have any affect. Running RHEL6.6 clients. > >>>>>IPA domain is by default case sensitive. > >>>>>So You will not change anything if you put "case_sensitive = true" > >>>>>into domain section of sssd.conf. > >>>>> > >>>>>But SSSD will create subdomains for each AD domain. It is > >>>>>different id_provider therefore different default values are used > >>>>>for subdomains and for AD provider it is case *insensitive* by default. > >>>>> > >>>>>Currently there's no way how to change it for subdomains (AD > >>>>>trusted > >>>>>domains) > >>>>> > >>>>What are you using for the SSH matching? The way the case > >>>>insensitiveness is implemented in SSSD is that all usernames are > >>>>forcibly lowercased on output, so as long as SSH uses the standard > >>>>NSS calls, you should be good with using the lowecase usernames.. > >>>> > >>>They were initially all in lower case and working when I tested and > >>>finalized > >>the setup. I passed the credentials off and they used mixed case and the > >>match stopped working. > >> > >>What is "they" ? I guess not SSSD but grabbing the data directly from LDAP? > >The match clauses in the sshd config were set to use lower case names. It > >is using sssd, just a regular ipa client installation. If I logged in using > >USERName insetad of username, the match clause did not work. > > > >-andy > > > Do we have any follow up on this thread? Have we closed the loop and filed a > ticket. > I had couple complains of the similar matter during Red Hat Summit. > I seems that this is one of the emerging issues for the trust environments.
I wonder if it's still an issue with 1.12.x and the Kerberos plugin Sumit wrote. Do we have a way to track these requests? Andy, if you have some test machines, could you give 6.7 a try? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
