Bug 1859554
Summary: | Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 [rhel-7.9.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Akshay Sakure <asakure> |
Component: | sssd | Assignee: | Tomas Halman <thalman> |
Status: | CLOSED ERRATA | QA Contact: | sssd-qe <sssd-qe> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.8 | CC: | atikhono, bjarolim, grajaiya, ipedrosa, jhrozek, jreznik, kbanerje, lslebodn, mniranja, msauton, mzidek, pbrezina, pdwyer, rcain, sbose, sgoveas, sssd-qe, tbordaz, thalman, tmihinto, tscherf |
Target Milestone: | rc | Keywords: | TestCannotAutomate, Triaged, ZStream |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | sync-to-jira | ||
Fixed In Version: | sssd-1.16.5-10.el7_9.5 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-29 21:18:32 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Akshay Sakure
2020-07-22 12:49:50 UTC
Upstream ticket: https://github.com/SSSD/sssd/issues/5261 Accepted 1-16 upstream PR: https://github.com/SSSD/sssd/pull/5281 Versions: Server Configuration: ===================== 1. Setup openldap-server such that there are spaces in member entry dn: cn=group1 member: cn=user1, ou=people, dc=example,dc=com memberUid: user1 gidNumber: 20001 objectClass: top objectClass: groupOfNames objectClass: posixGroup structuralObjectClass: posixGroup cn: group1 entryUUID: e59182d0-75a3-103a-9b63-653597a2aaa1 creatorsName: cn=manager createTimestamp: 20200818133851Z entryCSN: 20200818133851.585572Z#000000#000#000000 modifiersName: cn=manager modifyTimestamp: 20200818133851Z # group1, groups, example.com dn: cn=group1,ou=groups,dc=example,dc=com member: cn=user1, ou=people, dc=example,dc=com memberUid: user1 gidNumber: 20001 objectClass: top objectClass: groupOfNames objectClass: posixGroup cn: group1 2. Create a posix user1 entry as shown below in ldap server # user1, people, example.com dn: cn=user1,ou=people,dc=example,dc=com cn: user1 objectClass: shadowAccount objectClass: posixAccount objectClass: organizationalPerson loginShell: /bin/bash uidNumber: 10001 gidNumber: 10001 gecos: user1 sn: user1 homeDirectory: /home/user1 uid: user1 Client configuration: [sssd] config_file_version = 2 services = nss,pam domains = LDAP debug_level = 9 [domain/ldap] id_provider = ldap cache_credentials = true ldap_uri = ldap://vm-idm-009.lab.eng.pnq.redhat.com ldap_search_base = dc=example,dc=com ldap_group_search_base = ou=groups,dc=example,dc=com ldap_tls_cacertdir = /etc/openldap/certs ldap_default_bind_dn = cn=manager ldap_default_authtok = xxxxx ldap_default_authtok_type = password ldap_schema = rfc2307bis debug_level = 9 [nss] filter_groups = root filter_users = root debug_level = 9 [pam] debug_level = 9 1. Remove cache , restart sssd and verify group1 shows up in id command. sytemctl stop sssd; rm -rf /var/lib/sss/{mc,db}/*; systemctl start sssd [root@vm-idm-012 sssd]# getent group -s sss group1 group1:*:20001:user1 [root@vm-idm-012 sssd]# id user1 uid=10001(user1) gid=10001(user1) groups=10001(user1),20001(group1) Logs: (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=group1)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=groups,dc=example,dc=com]. (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 4 (2020-08-28 19:42:52): [be[ldap]] [sdap_op_add] (0x2000): New operation 4 timeout 6 (2020-08-28 19:42:52): [be[ldap]] [sdap_process_result] (0x2000): Trace: sh[0x560ff3a115b0], connected[1], ops[0x560ff3a2ac50], ldap[0x560ff3a09630] (2020-08-28 19:42:52): [be[ldap]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (2020-08-28 19:42:52): [be[ldap]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=group1,ou=groups,dc=example,dc=com]. (2020-08-28 19:42:52): [be[ldap]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (2020-08-28 19:42:52): [be[ldap]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (2020-08-28 19:42:52): [be[ldap]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (2020-08-28 19:42:52): [be[ldap]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (2020-08-28 19:42:52): [be[ldap]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (2020-08-28 19:42:52): [be[ldap]] [sdap_process_result] (0x2000): Trace: sh[0x560ff3a115b0], connected[1], ops[0x560ff3a2ac50], ldap[0x560ff3a09630] (2020-08-28 19:42:52): [be[ldap]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (2020-08-28 19:42:52): [be[ldap]] [sdap_op_destructor] (0x2000): Operation 4 finished (2020-08-28 19:42:52): [be[ldap]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (2020-08-28 19:42:52): [be[ldap]] [sdap_nested_group_hash_insert] (0x4000): Inserting [cn=group1,ou=groups,dc=example,dc=com] into hash table [groups] (2020-08-28 19:42:52): [be[ldap]] [sdap_nested_group_process_send] (0x2000): About to process group [cn=group1,ou=groups,dc=example,dc=com] (2020-08-28 19:42:52): [be[ldap]] [sysdb_cache_search_users] (0x2000): Search users with filter: (&(objectCategory=user)(originalDN=cn=user1,ou=people,dc=example,dc=com)) (2020-08-28 19:42:52): [be[ldap]] [sysdb_cache_search_users] (0x2000): No such entry (2020-08-28 19:42:52): [be[ldap]] [sysdb_cache_search_groups] (0x2000): Search groups with filter: (&(objectCategory=group)(originalDN=cn=user1,ou=people,dc=example,dc=com)) (2020-08-28 19:42:52): [be[ldap]] [sysdb_cache_search_groups] (0x2000): No such entry (2020-08-28 19:42:52): [be[ldap]] [sdap_nested_group_split_members] (0x4000): [cn=user1, ou=people, dc=example,dc=com] is a user (2020-08-28 19:42:52): [be[ldap]] [sdap_nested_group_process_send] (0x2000): Looking up 1/1 members of group [cn=group1,ou=groups,dc=example,dc=com] (2020-08-28 19:42:52): [be[ldap]] [sdap_nested_group_process_send] (0x2000): Members of group [cn=group1,ou=groups,dc=example,dc=com] will be processed individually (2020-08-28 19:42:52): [be[ldap]] [sdap_print_server] (0x2000): Searching 10.65.206.143:389 (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=posixAccount)][cn=user1, ou=people, dc=example,dc=com]. (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 5 (2020-08-28 19:42:52): [be[ldap]] [sdap_op_add] (0x2000): New operation 5 timeout 6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4074 Pushed PR: https://github.com/SSSD/sssd/pull/5262 * `master` * 88631392e9172ae4fa3e411398516a2f39f0060e - intg: allow member DN to have a different case * 50d0d154cedb6915ab321b47c40851c40e91cf41 - ldap: use member DN to create ghost user hash table * fe0f1e64e8a77dadde699495c7eb368ce61ac992 - UTIL: Use sss_sanitize_dn where we deal with DN 2 * 21b9417e14ce35a2548c309642325ac43103d51e - UTIL: Use sss_sanitize_dn where we deal with DN * 093061f553ab0a2c316794221e79779fb1bd40d2 - UTIL: DN sanitization Pushed PR: https://github.com/SSSD/sssd/pull/5281 * `sssd-1-16` * e5ae7bab88603fd64a27bcf59d4bba1503835ad0 - intg: allow member DN to have a different case * a63a22284d85d54514247549e94212e466b5c93c - ldap: use member DN to create ghost user hash table * f31005a076fa470d3b1a1b6117f306355ae6d97b - UTIL: Use sss_sanitize_dn where we deal with DN 2 * a960d66daaa1e0fb0602958452c6b40ee714f3b2 - UTIL: Use sss_sanitize_dn where we deal with DN * a20e08524d58c52ebfb5b971b361a91d911825cf - UTIL: DN sanitization |