Bug 1255442

Summary: getgrgid for user's UID on a trust client prevents getpw*
Product: Red Hat Enterprise Linux 7 Reporter: Libor Miksik <lmiksik>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.0CC: ekeck, grajaiya, henning.henkel, jgalipea, jhrozek, ksiddiqu, lslebodn, mkosek, mzidek, nsoman, pbrezina, preichl, sumenon
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.12.2-58.el7_1.17 Doc Type: Bug Fix
Doc Text:
If a getgrgid() call for ID representing a user arrived before getpwnam() or getpwuid() call for the user's ID in an environment with IPA-AD trusts, the getpw* function terminated with an error, preventing the user from using IPA-AD trusts, which was manifested in the SSSD logs with an EEXIST error. A patch has been applied to fix this bug, and the getpw* functions now work correctly in these circumstances.
 Story Points: ---
Clone Of: 1244949 Environment:
Last Closed: 2015-09-15 12:57:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1244949    
Bug Blocks:    
Attachments:
Description Flags
Logs
none
NSS and Domain Logs none

Description Libor Miksik 2015-08-20 15:06:15 UTC 
This bug has been copied from bug #1244949 and has been proposed
to be backported to 7.1 z-stream (EUS).
Comment 5 Sudhir Menon 2015-09-03 06:50:40 UTC 
Created attachment 1069628 [details]
Logs

NSS and Domain Logs
Comment 7 Sudhir Menon 2015-09-03 06:55:02 UTC 
Created attachment 1069631 [details]
NSS and Domain Logs
Comment 8 Jakub Hrozek 2015-09-03 07:30:55 UTC 
I wouldn't expect these messages:
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [ldb] (0x4000): Destroying timer event 0x7f6c1b942b90 "ltdb_timeout"
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [ldb] (0x4000): Ending timer event 0x7f6c1b95ca40 "ltdb_callback"
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [sysdb_search_user_by_uid] (0x0400): No such entry
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory)
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [ldb] (0x4000): cancel ldb transaction (nesting: 1)
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [sysdb_store_user] (0x0400): Error: 17 (File exists)
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [ipa_s2n_save_objects] (0x0040): sysdb_store_user failed.
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [ldb] (0x4000): cancel ldb transaction (nesting: 0)
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [ipa_s2n_get_user_done] (0x0040): ipa_s2n_save_objects failed.
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [sdap_id_op_done] (0x4000): releasing operation connection
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: 17
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [sdap_id_op_destroy] (0x4000): releasing operation connection

With a fixed client. Is this with new or old packages?
Comment 9 Sudhir Menon 2015-09-03 07:33:36 UTC 
Seeing this with sssd-1.12.2-58.el7_1.16.x86_64
Comment 10 Sudhir Menon 2015-09-03 07:58:44 UTC 
Blank output on IPA-Client.
[smenon@client71 ~]$ getent passwd 1375001118
[smenon@client71 ~]$
Comment 11 Jakub Hrozek 2015-09-03 08:34:12 UTC 
(In reply to Sudhir Menon from comment #9)
> Seeing this with sssd-1.12.2-58.el7_1.16.x86_64

Wow, I just noticed the patch was not applied correctly. Thank you very much for precise testing, I'm building a new package.
Comment 16 Sudhir Menon 2015-09-03 12:13:13 UTC 
Marking the bug as VERIFIED since the output matches the requirements as mentioned in comment #1 of bug #1244949

Observations:-

IPA-SERVER:-
[smenon@rhel71 ~]$ getent passwd monuser1
    monuser1:*:1375001115:1375001115:monuser1:/home/test.in/monuser1:
    
IPA-CLIENT:- 
[smenon@client71 ~]$ getent group 1375001115
    monuser1:*:1375001115:

[smenon@client71 ~]$ sudo ldbsearch -H /var/lib/sss/db/cache_labs.test.ldb "(&(objectclass=group)(name=monuser1))"
    asq: Unable to register control with rootdse!
    # record 1
    dn: name=monuser1,cn=groups,cn=test.in,cn=sysdb
    createTimestamp: 1441282126
    gidNumber: 1375001115
    name: monuser1
    objectClass: group
    objectSIDString: S-1-5-21-742749997-2996825573-4184801258-1115
    userPrincipalName: monuser1
    adAccountExpires: 9223372036854775807
    adUserAccountControl: 66048
    originalDN: CN=monuser1,CN=Users,DC=test,DC=in
    nameAlias: monuser1
    isPosix: TRUE
    lastUpdate: 1441282126
    dataExpireTimestamp: 1441318126
    overrideDN: name=monuser1,cn=groups,cn=test.in,cn=sysdb
    distinguishedName: name=monuser1,cn=groups,cn=test.in,cn=sysdb
     
    # returned 1 records
    # 1 entries
    # 0 referrals

[smenon@client71 ~]$ getent passwd 1375001115
    monuser1:*:1375001115:1375001115:monuser1:/home/test.in/monuser1:

[smenon@client71 ~]$ sudo ldbsearch -H /var/lib/sss/db/cache_labs.test.ldb "(&(objectclass=group)(name=monuser1))"
    asq: Unable to register control with rootdse!
    # returned 0 records
    # 0 entries
    # 0 referrals

IPA-SERVER:-
sssd-ldap-1.12.2-58.el7_1.17.x86_64
sssd-ipa-1.12.2-58.el7_1.17.x86_64
sssd-1.12.2-58.el7_1.17.x86_64
sssd-krb5-common-1.12.2-58.el7_1.17.x86_64
sssd-ad-1.12.2-58.el7_1.17.x86_64
python-sssdconfig-1.12.2-58.el7_1.17.noarch
sssd-common-1.12.2-58.el7_1.17.x86_64
sssd-proxy-1.12.2-58.el7_1.17.x86_64
sssd-common-pac-1.12.2-58.el7_1.17.x86_64
sssd-client-1.12.2-58.el7_1.17.x86_64
sssd-krb5-1.12.2-58.el7_1.17.x86_64
[smenon@rhel71 ~]$ sudo rpm -qa | grep ipa
ipa-server-trust-ad-4.1.0-18.el7_1.4.x86_64
ipa-server-4.1.0-18.el7_1.4.x86_64
sssd-ipa-1.12.2-58.el7_1.17.x86_64

IPA-CLIENT:-
[smenon@client71 ~]$ sudo rpm -qa | grep sssd
sssd-ipa-1.12.2-58.el7_1.17.x86_64
sssd-krb5-common-1.12.2-58.el7_1.17.x86_64
python-sssdconfig-1.12.2-58.el7_1.17.noarch
sssd-common-1.12.2-58.el7_1.17.x86_64
sssd-proxy-1.12.2-58.el7_1.17.x86_64
sssd-common-pac-1.12.2-58.el7_1.17.x86_64
sssd-ldap-1.12.2-58.el7_1.17.x86_64
sssd-1.12.2-58.el7_1.17.x86_64
sssd-client-1.12.2-58.el7_1.17.x86_64
sssd-krb5-1.12.2-58.el7_1.17.x86_64
sssd-ad-1.12.2-58.el7_1.17.x86_64
Comment 18 errata-xmlrpc 2015-09-15 12:57:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1785.html