Bug 1120508

Summary: tokengroups do not work with id_provider=ldap
Product: Red Hat Enterprise Linux 6 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.0CC: dpal, grajaiya, jagee, jgalipea, lslebodn, mkosek, pbrezina, preichl, sbose
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.11.6-12.el6 Doc Type: Bug Fix
Doc Text:
No Documentation Needed
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 04:49:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Hrozek 2014-07-17 05:52:13 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2345

Currently with id_provider=ldap and ldap_schema=ad I'm seeing:
{{{
(Mon Jun  2 13:37:05 2014) [sssd[be[AD-LDAP]]] [sdap_ad_tokengroups_initgr_mapping_send] (0x0020): No ID ctx available for [AD-LDAP].
}}}

We need to solve this bug because:
1. This is a regression. There are existing users running this setup, we've received bugs from them in the past
2. There is a layering violation in the AD provider. The file `src/providers/ldap/sdap_async_initgroups_ad.c` includes `providers/ad/ad_common.h`. We should not include headers from either IPA or AD provider in the plain LDAP provider.

I would argue that the tokenGroups should have been included in the AD provider only and not the LDAP provider because it's too AD specific anyway, but I'm not sure if we can revert that now..
Comment 1 Jakub Hrozek 2014-07-17 05:55:23 UTC 
To test, simply configure the SSSD with:
id_provider = ldap
ldap_schema = ad

And run:
id user
Comment 4 Kaushik Banerjee 2014-07-17 14:41:49 UTC 
Will try to reproduce with the steps from comment #1
Comment 5 Jakub Hrozek 2014-07-21 10:09:01 UTC 
master:
    * 1614e1b25a98ff2f03648c4bf61d750fb688285a
    * b12e2500237f33c44807d7e5b377ec06007c7252 
sssd-1-11:
    * 5001bab712149a27ab37697d487b3f51082df26d
    * deb0cc874606db31f454531c03d381fe0de76bd6
Comment 7 Jeremy Agee 2014-09-16 20:55:43 UTC 
When testing with settings we see the No ID ctx available message on early builds but not in later ones.
id_provider = ldap
ldap_schema = ad

id tuser

sssd-1.11.6-1.el6
(Tue Sep 16 16:13:16 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_initgr_posix_send] (0x0020): No ID ctx available for [sssdad.com].

sssd-1.11.6-30.el6
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-32-545]
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-32-545 will be downloaded
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-3643]
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-449164774-889306861-2878230833-3643 will be downloaded
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-513]
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-449164774-889306861-2878230833-513 will be downloaded
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-3642]
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-3644]
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-449164774-889306861-2878230833-3644 will be downloaded
(Tue Sep 16 16:16:53 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-32-545]
(Tue Sep 16 16:16:53 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-3643]
(Tue Sep 16 16:16:53 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-513]
(Tue Sep 16 16:16:53 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-3644]
(Tue Sep 16 16:16:53 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_update_members] (0x1000): Updating memberships for [tuser]
Comment 8 Jeremy Agee 2014-10-01 13:53:48 UTC 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bug_automation_006: BZ 1120508 tokengroups do not work with id_provider=ldap
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'id testuser02' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad.com.log' should not contain 'No ID ctx available for \[sssdad.com\]' 
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: bug_automation_006: BZ 1120508 tokengroups do not work with id_provider=ldap
Comment 9 errata-xmlrpc 2014-10-14 04:49:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html