Bug 1719718

Summary:	Validator warning issue : Attribute 'dns_resolver_op_timeout' is not allowed in section 'domain/REMOVED'. Check for typos
Product:	Red Hat Enterprise Linux 7	Reporter:	Vincenzo Polidoro <vpolidor>
Component:	sssd	Assignee:	Tomas Halman <thalman>
Status:	CLOSED ERRATA	QA Contact:	sssd-qe <sssd-qe>
Severity:	low	Docs Contact:
Priority:	unspecified
Version:	7.6	CC:	atikhono, grajaiya, jhrozek, lslebodn, mupadhye, mzidek, pbrezina, sgoveas, thalman, tscherf
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---
Hardware:	Unspecified
OS:	Linux
Whiteboard:	sync-to-jira
Fixed In Version:	sssd-1.16.5-2.el7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-09-29 19:49:11 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Vincenzo Polidoro 2019-06-12 12:16:20 UTC

Description of problem:
02374236 (sosreport attached but they redacted everything including timestamps)
Validator warning issue :  Attribute 'dns_resolver_op_timeout' is not allowed in section 'domain/REMOVED'. Check for typos
 - while on our reproducer we don't have the issue [1], 
 - in customer logs we have the pointed error (check for typos) [2]

[1]
[root@rhel7 ~]# grep dns_resolver_ /var/log/sssd/sssd_mylab.local.log
(Tue May 28 15:50:51 2019) [sssd[be[mylab.local]]] [dp_get_options] (0x0400): Option dns_resolver_timeout has value 6
(Tue May 28 15:50:51 2019) [sssd[be[mylab.local]]] [dp_get_options] (0x0400): Option dns_resolver_op_timeout has value 18
[2]
(Wed May  REMOVED:REMOVED) [sssd] [sss_ini_call_validators] (0x0020): [rule/allowed_domain_options]: Attribute 'dns_resolver_op_timeout' is not allowed in section 'domain/REMOVED'. Check for typos.

 - the option is not present in the validator even in the latest version - 
hint:
<jhrozek> it's a bug, but easy to fix
<jhrozek> just one line added to the schema

Comment 2 Tomas Halman 2020-03-26 17:43:36 UTC

Upstream PR: https://github.com/SSSD/sssd/pull/1012

Comment 3 Tomas Halman 2020-03-31 12:50:58 UTC

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/4176

Comment 4 Pavel Březina 2020-04-03 09:30:13 UTC

* `sssd-1-16`
    * 7cb6a9f70dd65c88e0f9be97c79702566ab37afb - config: add dns_resolver_op_timeout to option list

Comment 9 Madhuri 2020-04-30 08:59:01 UTC

Verified with:
[root@ci-vm-10-0-106-32 ~]# rpm -qa sssd sssd-tools
sssd-1.16.5-1.el7.x86_64
sssd-tools-1.16.5-1.el7.x86_64


Verification steps:


1) Configure sssd client
2) create the sssd.conf
3) Add dns_resolver_op_timeout = 40 under domain section
4) Run sssctl config-check command

[root@ci-vm-10-0-106-32 ~]# cat /etc/sssd/sssd.conf 

[sssd]
config_file_version = 2
services = nss, pam
domains = example1
dns_resolver_op_timeout = 40

[domain/example1]
ldap_search_base = dc=example,dc=test
id_provider = ldap
auth_provider = ldap
ldap_user_home_directory = /home/%u
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
use_fully_qualified_names = True
debug_level = 9
dns_resolver_op_timeout = 40


[root@ci-vm-10-0-106-32 ~]# sssctl config-check
Issues identified by validators: 2
[rule/allowed_sssd_options]: Attribute 'dns_resolver_op_timeout' is not allowed in section 'sssd'. Check for typos.
[rule/allowed_domain_options]: Attribute 'dns_resolver_op_timeout' is not allowed in section 'domain/example1'. Check for typos.

Messages generated during configuration merging: 0

Used configuration snippet files: 0


The output of command does not show the warning,
thus marking this bug verfied.

Comment 10 Madhuri 2020-04-30 10:16:04 UTC

correcting the sssd version
[root@ci-vm-10-0-106-32 ~]# rpm -qa sssd sssd-tools
sssd-1.16.5-2.el7.x86_64
sssd-tools-1.16.5-2.el7.x86_64


[root@ci-vm-10-0-106-32 ~]# cat /etc/sssd/sssd.conf 

[sssd]
config_file_version = 2
services = nss, pam
domains = example1
dns_resolver_op_timeout = 40

[domain/example1]
ldap_search_base = dc=example,dc=test
id_provider = ldap
auth_provider = ldap
ldap_user_home_directory = /home/%u
ldap_uri = ldaps://server.example.com
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
use_fully_qualified_names = True
debug_level = 9
dns_resolver_op_timeout = 40

[root@ci-vm-10-0-106-32 ~]# sssctl config-check
Issues identified by validators: 1
[rule/allowed_sssd_options]: Attribute 'dns_resolver_op_timeout' is not allowed in section 'sssd'. Check for typos.

Messages generated during configuration merging: 0

Used configuration snippet files: 0


Remove dns_resolver_op_timeout option from sssd section

[root@ci-vm-10-0-106-32 ~]# sssctl config-check
Issues identified by validators: 0

Messages generated during configuration merging: 0

Used configuration snippet files: 0

Above output is expected, as dns_resolver_op_timeout is allowed under the domain section of sssd.

Comment 12 errata-xmlrpc 2020-09-29 19:49:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3904