Bug 1033081

Summary: Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED CURRENTRELEASE QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: grajaiya, jagee, jgalipea, lslebodn, mkosek, pbrezina
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.11.2-40.el7 Doc Type: Known Issue
Doc Text:
The System Security Services Daemon (SSSD) connects to Global Catalog (GC) for all user and group lookups. POSIX attributes such as UID or GID are not replicated to Global Catalog by default. The SSSD is able to fall back to lightweight directory access protocol (LDAP) lookups from GC, but this fallback is performed only after a lookup. As a consequence, two attempts are needed to look up users with POSIX attributes in the Active Directory in environments where POSIX attributes are not replicated to Global Catalog.
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:58:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2013-11-21 14:16:24 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2152

{{{
20:19 < simo> jhrozek: right after we search rootdse make a search for (uidNumber=*) under cn=users
20:19 < simo> if anything is returned we know it is ok to stay with gc
20:19 < simo> otherwise we disconnect, and switch to normal LDAP
20:19 < simo> we can use a control to limit how many entries are returned too
20:20 < simo> using the paged search and telling AD to return 5 entries pages or so
20:20 < simo> so we do not have to process a ton of data just for  probing
}}}

Comment 1 Jakub Hrozek 2014-01-08 13:54:23 UTC
This bug was triaged, planned and is being worked on. Moving to ASSIGNED.

Comment 2 Jakub Hrozek 2014-02-12 14:58:26 UTC
Pushed upstream:
    master: 86c2e80de2243c3bd7691657086f1a182e7fc45c
    sssd-1-11: e81deec535d11912b87954c81a1edd768c1386c9

Comment 4 Jeremy Agee 2014-03-12 12:16:39 UTC
Automation task passed.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_07: bz 1033081 detect if posix attributes have been replicated to the global catalog
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'id posixuser1_dom1' (Expected 0, got 0)
:: [   PASS   ] :: Running 'getent -s sss passwd posixuser1_dom1' (Expected 0, got 0)
:: [   PASS   ] :: checking getent data for posixuser1_dom1 (Assert: posixuser1_dom1:*:100001:100001:posixuser1_dom1:/home2/sssdad.com/posixuser1_dom1:/bin/ksh should equal posixuser1_dom1:*:100001:100001:posixuser1_dom1:/home2/sssdad.com/posixuser1_dom1:/bin/ksh)
:: [   PASS   ] :: Running 'id posixuser1_dom2' (Expected 0, got 0)
:: [   PASS   ] :: Running 'getent -s sss passwd posixuser1_dom2' (Expected 0, got 0)
:: [   PASS   ] :: checking getent data for posixuser1_dom2 (Assert: posixuser1_dom2:*:100002:100002:posixuser1_dom2:/home2/sssdad_tree.com/posixuser1_dom2:/bin/ksh should equal posixuser1_dom2:*:100002:100002:posixuser1_dom2:/home2/sssdad_tree.com/posixuser1_dom2:/bin/ksh)
:: [   PASS   ] :: Running 'id posixuser1_dom3.com' (Expected 0, got 0)
:: [   PASS   ] :: Running 'getent -s sss passwd posixuser1_dom3.com' (Expected 0, got 0)
:: [   PASS   ] :: checking getent data for posixuser1_dom3.com (Assert: posixuser1_dom3.com:*:100003:100003:posixuser1_dom3:/home2/child1.sssdad.com/posixuser1_dom3:/bin/ksh should equal posixuser1_dom3.com:*:100003:100003:posixuser1_dom3:/home2/child1.sssdad.com/posixuser1_dom3:/bin/ksh)
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad.com.log' should contain 'New LDAP connection to \[ldap://[[:alnum:]._-]*:3268/??base\]' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad.com.log' should contain 'ldap_search_ext with \[(|(uidNumber=\*)(gidNumber=\*))\]' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad.com.log' should contain 'POSIX attributes were requested but are not present on the server side' 
:: [   LOG    ] :: Duration: 43s
:: [   LOG    ] :: Assertions: 12 good, 0 bad
:: [   PASS   ] :: RESULT: ad_forest_07: bz 1033081 detect if posix attributes have been replicated to the global catalog

Comment 5 Ludek Smid 2014-06-13 11:58:48 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.