Bug 1417170
Summary: | SSSD not resolving group membership on logon via LDAP/AD | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Andrey Bondarenko <abondare> |
Component: | sssd | Assignee: | Pavel Březina <pbrezina> |
Status: | CLOSED NOTABUG | QA Contact: | sssd-qe <sssd-qe> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.8 | CC: | abondare, grajaiya, jhrozek, lslebodn, mkosek, mzidek, nmcalister, pbrezina |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-10-26 08:14:06 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1461138 |
Description
Andrey Bondarenko
2017-01-27 12:08:31 UTC
As a short-term fix, I would ask if disabling tokengroups with "ldap_use_tokengroups=False" helps mitigate the issue. Please see the discussion in https://bugzilla.redhat.com/show_bug.cgi?id=1372440#c20 and onwards. Hi - an update on this. I have deployed SSSD across another set of servers. The kernel is still registered at 6.5, but a mix of hosts, depending on when and how they where patched, are on different versions of SSSD The deployment of SSSD to these Production servers all use the same running SSSD.CONF file (as previously supplied). Of note: the working servers have: python-sssdconfig.noarch 1.12.4-47.el6_7.8 @rhel-6-server-rpms sssd.x86_64 1.12.4-47.el6_7.8 @rhel-6-server-rpms sssd-ad.x86_64 1.12.4-47.el6_7.8 @rhel-6-server-rpms sssd-client.x86_64 1.12.4-47.el6_7.8 @rhel-6-server-rpms sssd-common.x86_64 1.12.4-47.el6_7.8 @rhel-6-server-rpms sssd-common-pac.x86_64 1.12.4-47.el6_7.8 @rhel-6-server-rpms sssd-ipa.x86_64 1.12.4-47.el6_7.8 @rhel-6-server-rpms sssd-krb5.x86_64 1.12.4-47.el6_7.8 @rhel-6-server-rpms sssd-krb5-common.x86_64 1.12.4-47.el6_7.8 @rhel-6-server-rpms sssd-ldap.x86_64 1.12.4-47.el6_7.8 @rhel-6-server-rpms sssd-proxy.x86_64 1.12.4-47.el6_7.8 @rhel-6-server-rpms The non-working servers have: python-sssdconfig.noarch 1.13.3-22.el6_8.4 @rhel-6-server-rpms sssd.x86_64 1.13.3-22.el6_8.4 @rhel-6-server-rpms sssd-ad.x86_64 1.13.3-22.el6_8.4 @rhel-6-server-rpms sssd-client.x86_64 1.13.3-22.el6_8.4 @rhel-6-server-rpms sssd-common.x86_64 1.13.3-22.el6_8.4 @rhel-6-server-rpms sssd-common-pac.x86_64 1.13.3-22.el6_8.4 @rhel-6-server-rpms sssd-ipa.x86_64 1.13.3-22.el6_8.4 @rhel-6-server-rpms sssd-krb5.x86_64 1.13.3-22.el6_8.4 @rhel-6-server-rpms sssd-krb5-common.x86_64 1.13.3-22.el6_8.4 @rhel-6-server-rpms sssd-ldap.x86_64 1.13.3-22.el6_8.4 @rhel-6-server-rpms sssd-proxy.x86_64 1.13.3-22.el6_8.4 @rhel-6-server-rpms This information has been derived from yum list installed and grep sssd I have tested this in a virtual environment and can confirm that between 1.12.4-47.el6_7.8 and 1.13.3-22.el6_8.4 it broke. I checked the Bugzilla and tried out the recommendation for "ldap_use_tokengroups=False", which I assumed I did it correctly. I don't have the required access to read the linked Bugzilla on that comment Hello, Thank you for the update, but it's not clear if "ldap_use_tokengroups=False" helped? The bug is actually related to sudo which relies on the certain behavior of the sssd that might not happen due to the sssd optimizations. For the RHEL 6 "ldap_use_tokengroups=False" is a workaround. It's https://pagure.io/SSSD/sssd/issue/2838, but it's not backportable to the 6.x, it's too invasive. But it's fixed in the RHEL 7. Andrey Bondarenko |