Bug 1583725

Summary: SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries
Product: Red Hat Enterprise Linux 7 Reporter: Thorsten Scherf <tscherf>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: sssd-qe <sssd-qe>
Severity: high Docs Contact:
Priority: high    
Version: 7.5CC: dlavu, dominik.mierzejewski, grajaiya, jhrozek, lslebodn, mkosek, mzidek, nsoman, pbrezina, sgoveas, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.16.2-5.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:42:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thorsten Scherf 2018-05-29 14:37:05 UTC 
Description of problem:
SSSD uses the following LDAP query to detect if the AD Global Catalog (GC) server can be used to retrieve POSIX attributes:

'(|(&(uidNumber=*)(objectClass=user))(&(gidNumber=*)(objectClass=group)))'  

The filter is used with a sizelimit of '1' but AD is not properly honoring the sizelimit. This issue is tracked in BZ #1582975. 

The other issue is that this query should only go to the Global Catalog server but with the current version of SSSD we do see this query also going to regular AD DCs. 

Version-Release number of selected component (if applicable):
sssd-1.16.0-19.el7.x86_64

Steps to Reproduce:
1. Configure SSSD with AD provider.
2. Create an AD account with POSIX attributes
3. Login into the SSSD client using this account

Actual results:
The LDAP query listed above goes to a regular AD DC. Because of the issue reported in BZ #1582975 it might happen that SSSD runs into a timeout and the next server is contacted. This might end up in an infinite loop until the search can be completed.


Expected results:
LDAP query goes only to AD GC server.

Additional info:
This is a possible regression.
Comment 2 Jakub Hrozek 2018-06-07 03:31:25 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3754
Comment 3 Jakub Hrozek 2018-06-28 09:25:18 UTC 
* master: 5e1641b
Comment 8 Dan Lavu 2018-08-20 15:23:16 UTC 
Verified against sssd-1.16.2-12.el7.x86_64

# Testing a user with posix attributes

(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [ad_check_gc_usability_send] (0x0400): Checking for POSIX attributes in GC
(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [sdap_print_server] (0x2000): Searching 10.8.63.92:389
(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=attributeSchema)(|(cn=uidNumber)(cn=gidNumber)))][CN=Schema,CN=Configuration,DC=sssd2012r2,DC=com].
(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [isMemberOfPartialAttributeSet]
(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 10
(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [sdap_op_add] (0x2000): New operation 10 timeout 6
(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55faa87a7280], connected[1], ops[0x55faa87b8270], ldap[0x55faa87a3460]
(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [be_ptask_online_cb] (0x0400): Back end is online
(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [be_ptask_enable] (0x0080): Task [SUDO Smart Refresh]: already enabled
(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55faa87a7280], connected[1], ops[0x55faa87b8270], ldap[0x55faa87a3460]
(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [].
(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [netlogon]
(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55faa87a7280], connected[1], ops[0x55faa87b8270], ldap[0x55faa87a3460]
(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [sdap_op_destructor] (0x2000): Operation 9 finished


# Testing a user with no posix attributes 

(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [ad_check_gc_usability_search_done] (0x0080): Cannot get isMemberOfPartialAttributeSet(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [ad_check_gc_usability_search_done] (0x0080): Cannot get isMemberOfPartialAttributeSet(Mon Aug 20 11:09:01 2018) [sssd[be[sssd2012r2.com]]] [ad_disable_gc] (0x0040): POSIX attributes were requested but are not present on the server side. Global Catalog lookups will be disabled
Comment 10 errata-xmlrpc 2018-10-30 10:42:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3158