Bug 1219285
Summary: | Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Harald Jensås <hjensas> | |
Component: | sssd | Assignee: | Sumit Bose <sbose> | |
Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> | |
Severity: | high | Docs Contact: | ||
Priority: | medium | |||
Version: | 7.1 | CC: | grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mzidek, nsoman, pbrezina, preichl, sbose, sumenon | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | sssd-1.13.0-0.1.alpha.el7 | Doc Type: | Bug Fix | |
Doc Text: |
Cause: IPA clients that are views-enabled were unconditionally looking for a views-related attribute
Consequence: AD user's group membership was failing as the lookup request failed after not being able to dereference the view name
Fix: If LDAP_UNAVAILABLE_CRITICAL_EXTENSION(12) or LDAP_PROTOCOL_ERROR(2) is returned, those errors are ignored and client assumes the server is not views-aware
Result: AD user's group membership resolution is no longer failing when a RHEL-7 client was enrolled to RHEL-6 server.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1219844 1263262 (view as bug list) | Environment: | ||
Last Closed: | 2015-11-19 11:38:45 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1219844, 1263262 | |||
Attachments: |
Description
Harald Jensås
2015-05-06 23:50:47 UTC
Created attachment 1022840 [details]
SOS Report for RHEL 7.1 IPA Client. SSSD debug level 9 enabled.
Created attachment 1022841 [details]
SOS Report for RHEL 6.6 IPA Server, winbind with debug level 100.
Created attachment 1022843 [details]
SOS Report for RHEL 6.6 IPA Client. For client configuration reference. This client works as expected.
I think a change in the pac responder caused this. I will prepare a test build. It is not related to the PAC responder but to the new code which tries to determine if the client has assigned a view. Older versions of 398ds return an error here but it looks there is a different error code used by different releases. In the given case it is '389-Directory/1.2.11.15' and it returns LDAP_PROTOCOL_ERROR. Newer versions (I tested with '389-Directory/1.3.3.8') return LDAP_UNAVAILABLE_CRITICAL_EXTENSION. The LDAP_UNAVAILABLE_CRITICAL_EXTENSION is already handle correctly by SSSD, support must be added for the LDAP_PROTOCOL_ERROR case. Upstream ticket: https://fedorahosted.org/sssd/ticket/2650 Fixed upstream: master: a50b229c8ea1e22c9efa677760b94d8c48c3ec89 sssd-1-12: 0f85298a31beb53375635b82cb274d29eae45774 Sudhir, since this turned out to be an IPA issue, can you please move this bugzilla to VERIFIED and remove the FailedQA keyword? Moving this bug to VERIFIED. Cloned Bug #1263262 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2355.html |