Bug 1373420

Summary: sss_override fails to export
Product: Red Hat Enterprise Linux 7 Reporter: Marc Muehlfeld <mmuehlfe>
Component: sssdAssignee: Michal Zidek <mzidek>
Status: CLOSED ERRATA QA Contact: Steeve Goveas <sgoveas>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 7.3CC: dlavu, grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, tlavigne
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.14.0-41.el7 Doc Type: Bug Fix
Doc Text:
Show, find, and export operations in the "sss_override" utility now work correctly Red Hat Enterprise Linux 7.3 introduced local overrides to the System Security Services Daemon (SSSD). Due to a regression, "sss_override" commands failed if an override was created without the "-n" option. The bug has been fixed and now "sss_override" works correctly.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 07:21:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
debug log none

Description Marc Muehlfeld 2016-09-06 08:57:07 UTC 
Created attachment 1198131 [details]
debug log

Description of problem:
sss_override user-export fails



Version-Release number of selected component (if applicable):
sssd-tools-1.14.0-30.el7.x86_64



How reproducible:
Always.



Steps to Reproduce:
1. Set up an LDAP provider
2. Create an user override:
3. Restart sssd
4. Try to export the user overrides



Actual results:
# sss_override user-export /var/lib/sss/backup/sssd_user_overrides.bak

# echo $?
1

# ls -la /var/lib/sss/backup/sssd_user_overrides.bak
-rw-r--r--. 1 root root 0  6. Sep 09:04 /var/lib/sss/backup/sssd_user_overrides.bak



Expected results:
sss_override should not fail to export.




Additional information:
It would be great, if sss_override user-export tells the user when it fails. I only discovered this bug, because I wanted to remove the SSSD cache. Otherwise I had not seen that it generates just an empty file and fails. The "sssctrl cache-remove" command validates the result of the backup:
# sssctl cache-remove 
SSSD must not be running. Stop SSSD now? (yes/no) [yes] 
Creating backup of local data...
SSSD backup of local data already exist, override? (yes/no) [no] yes
Error while executing external command
Unable to export group overrides
Unable to create backup of local data, can not remove the cache.
Comment 1 Pavel Březina 2016-09-06 09:06:22 UTC 
It seems to be related to timestamp cache or fully qualified name changes.
Comment 3 Michal Zidek 2016-09-07 15:40:59 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/3179
Comment 4 Michal Zidek 2016-09-07 16:19:39 UTC 
The override fails to export if the name attribute is not overriden. For example if someone only overrides shell for the user or GID for the group.

I do not think this is a regression.
Comment 9 Pavel Březina 2016-09-09 09:54:22 UTC 
Works in 1.13, this is a regression.
Comment 11 Jakub Hrozek 2016-09-11 20:55:33 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/3179
Comment 12 Jakub Hrozek 2016-09-11 20:56:56 UTC 
(In reply to Jakub Hrozek from comment #11)
> Upstream ticket:
> https://fedorahosted.org/sssd/ticket/3179

For some reason, the previous clone didn't update the devel Whiteboard, so our internal tool didn't see the BZ as cloned..
Comment 13 Lukas Slebodnik 2016-09-13 11:54:16 UTC 
master:
* 1c72723cde8bea0d390b928c7cd29e48e7a7deab
* 07e7683f5a86991feaa764e2055116554ada1b93
Comment 16 Dan Lavu 2016-09-19 20:09:13 UTC 
Verified against sssd-client-1.14.0-42.el7.x86_64

[root@dell-per230-02 db]# id Administrator
uid=498200500(administrator) gid=498200513(domain users) groups=498200513(domain users),498200519(enterprise admins),498200512(domain admins),498200520(group policy creator owners),498200518(schema admins),498246372(parent_group-474),498200572(denied rodc password replication group)

[root@dell-per230-02 db]# sss_override user-add -n admin Administrator
SSSD needs to be restarted for the changes to take effect.

[root@dell-per230-02 db]# service sssd restart
Redirecting to /bin/systemctl restart  sssd.service

[root@dell-per230-02 db]# id admin
uid=498200500(admin) gid=498200513(domain users) groups=498200513(domain users),498200520(group policy creator owners),498200519(enterprise admins),498200512(domain admins),498200518(schema admins),498200572(denied rodc password replication group),498246372(parent_group-474)

[root@dell-per230-02 db]# sss_override user-export export.txt

[root@dell-per230-02 db]# cat export.txt 
Administrator:admin::::::
Comment 20 errata-xmlrpc 2016-11-04 07:21:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html