Bug 1362023

Summary: SSSD fails to start when ldap_user_extra_attrs contains mail
Product: Red Hat Enterprise Linux 7 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Steeve Goveas <sgoveas>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: dcamilof, grajaiya, jhrozek, jpazdziora, lslebodn, mkosek, mmuehlfe, mupadhye, mzidek, pbrezina, spoore
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.14.0-27.el7 Doc Type: No Doc Update
Doc Text:
SSSD fails to start when `ldap_user_extra_attrs` includes `mail` System Security Services Daemon (SSSD) now fetches the `mail` attribute by default. When the `ldap_user_extra_attrs` option in the `/etc/sssd/sssd.conf` file also lists the `mail` attribute, SSSD warns the user about the duplicate email address and fails to start. To work around this problem, set a fictional attribute name in the `ldap_user_email` attribute in the `domain` section of `sssd.conf`. This ensures that the two obtained email addresses are different and that SSSD starts successfully.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 07:20:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora (Red Hat) 2016-08-01 08:03:41 UTC 
Description of problem:

For a long time, we've recommended adding mail to ldap_user_extra_attrs when it should be made available via ifp, for example at

   http://www.freeipa.org/page/Web_App_Authentication/Example_setup

Now that change causes SSSD to fail to start.

Version-Release number of selected component (if applicable):

sssd-1.14.0-14.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Put line ldap_user_extra_attrs = mail, firstname:givenname, lastname:sn to [domain/*] section of sssd.conf on IPA-enrolled machine.
2. Run systemctl restart sssd

Actual results:

Job for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xe" for details.

Aug 01 04:02:09 client.example.test sssd[be[example.test]][5624]: Starting up
Aug 01 04:02:10 client.example.test sssd[be[example.test]][5625]: Starting up
Aug 01 04:02:12 client.example.test sssd[be[example.test]][5626]: Starting up
Aug 01 04:02:15 client.example.test sssd[pam][5637]: Starting up
Aug 01 04:02:16 client.example.test sssd[be[example.test]][5639]: Starting up
Aug 01 04:02:16 client.example.test sssd[5623]: Exiting the SSSD. Could not restart critical service [example.test].
Aug 01 04:02:16 client.example.test systemd[1]: sssd.service: control process exited, code=exited status=1
Aug 01 04:02:16 client.example.test systemd[1]: Failed to start System Security Services Daemon.
Aug 01 04:02:16 client.example.test systemd[1]: Unit sssd.service entered failed state.
Aug 01 04:02:16 client.example.test systemd[1]: sssd.service failed.

/var/log/sssd/sssd_example.test.log contains

(Mon Aug  1 03:58:40 2016) [sssd[be[example.test]]] [sdap_extend_map] (0x0010): Attribute mail (mail in LDAP) is already used by SSSD, please choose a different cache name
(Mon Aug  1 03:58:40 2016) [sssd[be[example.test]]] [dp_module_run_constructor] (0x0010): Module [ipa] constructor failed [1432158247]: Extra attribute is a duplicate
(Mon Aug  1 03:58:40 2016) [sssd[be[example.test]]] [dp_target_init] (0x0010): Unable to load module ipa
(Mon Aug  1 03:58:40 2016) [sssd[be[example.test]]] [be_process_init] (0x0010): Unable to setup data provider [1432158209]: Internal Error
(Mon Aug  1 03:58:40 2016) [sssd[be[example.test]]] [main] (0x0010): Could not initialize backend [1432158209]

Expected results:

No error, SSSD starts just fine.

Additional info:
Comment 5 Jakub Hrozek 2016-08-04 14:25:28 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/3120
Comment 8 Jakub Hrozek 2016-08-19 10:20:41 UTC 
master:
    133647422d6e276a597494002873b2afce1d12a7
    b6bc67f3272d8a45fb6b5c01c8a3f8e74010eb71
Comment 17 errata-xmlrpc 2016-11-04 07:20:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html