Bug 1141334

Summary: SSSD deref processing fail when entryusn can be read and objectclass doesn't
Product: [Fedora] Fedora Reporter: Petr Viktorin (pviktori) <pviktori>
Component: freeipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: abokovoy, mkosek, pviktori, pvoborni, rcritten, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeipa-4.0.3-1.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-27 09:56:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Viktorin (pviktori) 2014-09-12 17:53:37 UTC 
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4534


This is a follow up to changes done in #4521. FreeIPA server now allow by default entryusn and modifytimestamp for all entries. However, as tracked in ​RHEL downstream Bugzilla, older SSSD clients break as when they do deref call for authenticating user, they get entryusn, but not objectclass attribute.

It would make sense for FreeIPA to either show objectclass, entryusn and modifytimestamp for all entries or for none of them. Without this change, all unpatched SSSD clients will not be able talk to FreeIPA 4.0.x server (or it's replicas).
Comment 1 Petr Viktorin (pviktori) 2014-09-15 07:43:52 UTC 
Fixed in upstream 4.0.3
Comment 2 Martin Kosek 2014-09-15 07:51:42 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4534
Comment 3 Fedora Update System 2014-09-15 13:25:53 UTC 
python-qrcode-5.0.1-1.fc21, freeipa-4.0.3-1.fc21, 389-ds-base-1.3.3.3-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/FEDORA-2014-10811/389-ds-base-1.3.3.3-1.fc21,python-qrcode-5.0.1-1.fc21,freeipa-4.0.3-1.fc21
Comment 4 Fedora Update System 2014-09-18 16:12:34 UTC 
Package freeipa-4.0.3-1.fc21, 389-ds-base-1.3.3.3-1.fc21, python-qrcode-5.0.1-2.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-4.0.3-1.fc21 389-ds-base-1.3.3.3-1.fc21 python-qrcode-5.0.1-2.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-10811/389-ds-base-1.3.3.3-1.fc21,python-qrcode-5.0.1-2.fc21,freeipa-4.0.3-1.fc21
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2014-09-27 09:56:51 UTC 
freeipa-4.0.3-1.fc21, 389-ds-base-1.3.3.3-1.fc21, python-qrcode-5.0.1-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.