Bug 1471966
Summary: | IPA client identity lookups failing for trusted AD Users | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Matt.Agresta <Matt.Agresta> | ||||
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | ||||
Status: | CLOSED DUPLICATE | QA Contact: | sssd-qe <sssd-qe> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.3 | CC: | grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, tscherf | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-07-18 08:47:59 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Matt.Agresta@kuehne-nagel.com
2017-07-17 19:37:25 UTC
Based on this: (Mon Jul 17 15:36:39 2017) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 12, Cannot allocate memory Please check if any of the groups the user is a member of contains the @-sign. Hey Jakub, This appears to be the issue, when I removed that group the looks up work. As I am not sure how large the fallout would be from renaming this group, is there a work around for this? Regards, Matt You can try setting the alternative re_expression as mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1383520 (I'm going to close this BZ as a duplicate of #1383520 as well) *** This bug has been marked as a duplicate of bug 1383520 *** Thanks, Unfortunately the filter in that report does not work for me. All of the groups causing issues have the same patter in them (groupname). I have tried several different patterns with no luck, could you tell me what I am doing wrong? (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$)|((?P<name>.+@example.com)@(?P<domain>.+$))) (In reply to Matt.Agresta from comment #5) > Thanks, > > Unfortunately the filter in that report does not work for me. All of the > groups causing issues have the same patter in them (groupname). > I have tried several different patterns with no luck, could you tell me what > I am doing wrong? > > (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>. > +$))|(^(?P<name>[^@\\]+)$)|((?P<name>.+@example.com)@(?P<domain>.+$))) Not really, can you post your config file and logs, please? btw it is not guaranteed that this regex will suffice on its own, there is also parsing done on the IPA server side by the IPA server itself. But I guess in your case the groups made it to the client, so provided the correct regex, it client should be able to parse them.. I think I figured out the reg_ex part (at least partly). I can now resolve the user, but am having trouble getting secondary groups. Judging from other's issues maybe its schema related? I am trying to use ldapsearch to verify the groups but not having much luck with the command syntax. sssd.conf [domain/ipa.us.int.kn] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.us.int.kn id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = lxmatazan200s.us.int.kn chpass_provider = ipa ipa_server = lxipaazan100s.ipa.us.int.kn dns_discovery_domain = ipa.us.int.kn re_expression = (((?P<name>.+@.+)@(?P<domain>.+))|((?P<name>[^@]+)@?(?P<domain>[^@]*$))) use_fully_qualified_names = True debug_level = 9 [sssd] services = nss, sudo, pam, ssh debug_level = 9 domains = ipa.us.int.kn [nss] debug_level = 9 homedir_substring = /home I will attach a log as well. Created attachment 1300621 [details]
client sssd domain logs
I commented out "use_fully_qualified_names = True" and it seems to be working consistently. Unfortunately my HBAC rule is denying AD users but this is most likely a separate issue. Disregard my last comment. Commenting out "use_fully_qualified_names = True" did improve the situation. If I do a lookup now I see about half of my groups, and the groups appear to change between lookup. The log looks the same I have attached, could this be a timeout issue? |