Bug 1399589
| Summary: | sssd prevents sudo from getting data from LDAP | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Dalibor Pospíšil <dapospis> | ||||||
| Component: | sssd | Assignee: | Pavel Březina <pbrezina> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Dalibor Pospíšil <dapospis> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 7.3 | CC: | dapospis, grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, troels | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | sssd-1.15.0-2.el7 | Doc Type: | If docs needed, set a value | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | |||||||||
| : | 1400643 (view as bug list) | Environment: | |||||||
| Last Closed: | 2017-08-01 09:02:33 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Dalibor Pospíšil
2016-11-29 10:54:23 UTC
Pavel should take a look BTW, I would bet it's a timing issue. Could you provide log files with debug_level=9 in domain and sudo section. https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO Created attachment 1225842 [details] sssd.logs.bz2 here are debug logs I got during the test Created attachment 1225844 [details] sssd.logs.tar.bz2 You are hitting: - https://bugzilla.redhat.com/show_bug.cgi?id=1312062 - https://fedorahosted.org/sssd/ticket/2970 sssd version on the test machine is sssd-1.13.3-48.el6.x86_64 and this version is missing patch for the above bug. (In reply to Pavel Březina from comment #6) > You are hitting: > - https://bugzilla.redhat.com/show_bug.cgi?id=1312062 > - https://fedorahosted.org/sssd/ticket/2970 > > sssd version on the test machine is sssd-1.13.3-48.el6.x86_64 and this > version is missing patch for the above bug. Well, this is a RHEL-7 bug and the sssd version the bug is filed against is 1.14. Did we regress? It was introduced with as one of the changes for supporting IPA schema, which made it to 6.8. Yes, this is a regression. Maybe I do not understand something correctly. * native ipa sudo schema was introduced in 1.13.2 * upstream bug https://fedorahosted.org/sssd/ticket/2970 was fixed in 1.13.4 + master(1.13.90) https://git.fedorahosted.org/cgit/sssd.git/commit/?id=ef5e33f7db1e314226b0077596e38ef16305cba5 This bug is about sssd-1.14.0-43.el7 When did we regress? Ok, so the cause is still the same, that openldap can't handle modifyTimestamp>=number, it needs datetime format. The patch that fixed #2970 is not complete and does not handle the case when ldap doesn't contain any sudorule during the initial full refresh -- usn is then set to 1 instead of remaining unset and we are trying to search modifyTimestamp>=1 during smart refresh which doesn't return any result. I will prepare a patch. This is a regression caused by IPA schema patches which was supposed to be fixed by 2970, but the fix was apparentely not complete. Upstream ticket: https://fedorahosted.org/sssd/ticket/3257 Pull request: https://github.com/SSSD/sssd/pull/103 Upstream ticket: https://fedorahosted.org/sssd/ticket/3257 master: 46703740e83a66909974a5ee8d47df6a6e5076e7
sssd-1-14: 76e97affaa05ce45709efd59d120595c5992aa21
sssd-1-13: 4e25db79aa514e044449c8ad4482c45b24e7a3d4
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2294 |