Bug 1360806

Summary: sssd does not start if sub-domain user is used with simple access provider
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Steeve Goveas <sgoveas>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: dlavu, grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.14.0-18.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 07:19:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Hrozek 2016-07-27 14:10:26 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/3101

{{{
(Mon Jul 18 04:29:14 2016) [sssd[be[sssdad.com]]] [simple_access_obtain_filter_lists] (0x0020): Unable to parse Allow users list [1432158243]: Domain not found
(Mon Jul 18 04:29:14 2016) [sssd[be[sssdad.com]]] [dp_target_run_constructor] (0x0010): Target [access] constructor failed [1432158243]: Domain not found
(Mon Jul 18 04:29:14 2016) [sssd[be[sssdad.com]]] [dp_load_targets] (0x0020): Unable to load target [access] [1432158243]: Domain not found.
(Mon Jul 18 04:29:14 2016) [sssd[be[sssdad.com]]] [dp_init] (0x0020): Unable to initialize DP targets [1432158209]: Internal Error
(Mon Jul 18 04:29:14 2016) [sssd[be[sssdad.com]]] [be_process_init] (0x0010): Unable to setup data provider [1432158209]: Internal Error
(Mon Jul 18 04:29:14 2016) [sssd[be[sssdad.com]]] [be_ptask_destructor] (0x0400): Terminating periodic task [AD machine account password renewal]
(Mon Jul 18 04:29:14 2016) [sssd[be[sssdad.com]]] [main] (0x0010): Could not initialize backend [1432158209]
}}}

{{{
[sssd]
services = nss, pam
domains = sssdad.com

[domain/sssdad.com]
id_provider = ad
use_fully_qualified_names = True
access_provider = simple

simple_allow_users=user1_dom2-29758.com
}}}
Comment 3 Jakub Hrozek 2016-08-10 15:07:55 UTC 
master:
    * d2902de03738a3018445698650d8b974ae3cf230
    * 79ac0e8a4840202c3615d6ce6584df3c08efb594
    * c777f575b0ec0c48ce3b85ea2c5cc298db02450e
    * 95de2cd9ea8083115f3bbbf0867aaf6b218cb624
Comment 5 Dan Lavu 2016-09-21 21:42:46 UTC 
Verified against sssd-client-1.14.0-43.el7.x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_simple_003: bz 1048102 simple_allow_users=DOMAIN1\user1,DOMAIN2\user2,CHILD1.DOMAIN1\user3
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [  BEGIN   ] :: Running 'su_success user1_dom1-30350 Secret123'
spawn su --shell /bin/sh nobody -- -c su --shell /bin/true -- "$1" -- user1_dom1-30350
Password: :: [   PASS   ] :: Command 'su_success user1_dom1-30350 Secret123' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'su_success user1_dom2-30350 Secret123'
spawn su --shell /bin/sh nobody -- -c su --shell /bin/true -- "$1" -- user1_dom2-30350
Password: :: [   PASS   ] :: Command 'su_success user1_dom2-30350 Secret123' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'su_success user1_dom3-30350.com Secret123'
spawn su --shell /bin/sh nobody -- -c su --shell /bin/true -- "$1" -- user1_dom3-30350.com
Password: :: [   PASS   ] :: Command 'su_success user1_dom3-30350.com Secret123' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'su_fail user2_dom1-30350 Secret123'
spawn su --shell /bin/sh nobody -- -c su --shell /bin/true -- "$1" -- user2_dom1-30350
Password: 
su: Permission denied
:: [   PASS   ] :: Command 'su_fail user2_dom1-30350 Secret123' (Expected 0, got 0)

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_simple_004: simple_deny_users=user2,user3.com
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [  BEGIN   ] :: Running 'su_success user1_dom1-30350 Secret123'
spawn su --shell /bin/sh nobody -- -c su --shell /bin/true -- "$1" -- user1_dom1-30350
Password: :: [   PASS   ] :: Command 'su_success user1_dom1-30350 Secret123' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'su_fail user1_dom2-30350 Secret123'
spawn su --shell /bin/sh nobody -- -c su --shell /bin/true -- "$1" -- user1_dom2-30350
Password: 
su: Permission denied
:: [   PASS   ] :: Command 'su_fail user1_dom2-30350 Secret123' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'su_fail user1_dom3-30350.com Secret123'
spawn su --shell /bin/sh nobody -- -c su --shell /bin/true -- "$1" -- user1_dom3-30350.com
Password: 
su: Permission denied
:: [   PASS   ] :: Command 'su_fail user1_dom3-30350.com Secret123' (Expected 0, got 0)
Comment 7 errata-xmlrpc 2016-11-04 07:19:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html