Bug 2000238

Summary: disabled root ad domain causes subdomains to be marked offline
Product: Red Hat Enterprise Linux 7 Reporter: Striker Leggette <striker>
Component: sssdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: Dan Lavu <dlavu>
Severity: medium Docs Contact:
Priority: high    
Version: 7.9CC: akaiser, atikhono, dlavu, grajaiya, hartsjc, jhrozek, jreznik, lslebodn, mzidek, pbrezina, sbose, sgoveas, tscherf
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: sssd-1.16.5-10.el7_9.11 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-23 17:17:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Striker Leggette 2021-09-01 16:12:46 UTC 
[+] Description of problem:
 - when the root ad domain is not listed in ad_enabled_domains, sssd will mark the subdomains as offline

[+] Version-Release number of selected component (if applicable):
 - sssd-1.16.5-10.el7_9.8.x86_64

[+] How reproducible:
 - sometimes - the failure occurs when sssd tries to retrieve trust information from the root domain

[+] Steps to Reproduce:
1. configure an ad forest with two or more domains
2. enable only the ad subdomains in ad_enabled_domains
3. monitor sssd to see subdomains marked offline

[+] Actual results:
 - all domains are marked offline and sssd fails to perform user lookups for a certain period

[+] Expected results:
 - root domain being disabled is treated as normal and sssd keeps all subdomains online

[+] Workaround:
 - list ad root domain in ad_enabled_domains
Comment 8 Sumit Bose 2021-09-02 10:20:50 UTC 
Upstream ticket:
https://github.com/SSSD/sssd/issues/5770
Comment 9 Alexey Tikhonov 2021-09-02 10:29:44 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/5771
Comment 23 Alexey Tikhonov 2021-09-24 13:24:45 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/5771

* `master`
    * 2a617c0efc07d10efc0688652bfe7ab2d8d6f477 - sdap: always create sdap object for a forest root
* `sssd-1-16`
    * 46b194196749d4ea77d5d4e6bdd64d7c0996b105 - sdap: always create sdap object for a forest root
Comment 30 Dan Lavu 2021-11-12 18:20:22 UTC 
Verified against sssd-1.16.5-10.el7_9.11.x86_64

[root@ci-vm-10-0-107-140 ~]# cat /etc/sssd/sssd.conf 

[sssd]
domains = child-y3fb.domain-y3fb.com
config_file_version = 2
services = nss, pam


[domain/child-y3fb.domain-y3fb.com]
debug_level = 9 
ad_enabled_domains = child-zf0b.domain-zf0b.com
ad_domain = child-y3fb.domain-y3fb.com
krb5_realm = CHILD-Y3FB.DOMAIN-Y3FB.COM
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = CI-VM-10-0-107-$
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad


[root@ci-vm-10-0-107-140 ~]# id administrator.com
uid=1096800500(administrator.com) gid=1096800513(domain users.com) groups=1096800513(domain users.com),1096800520(group policy creator owners.com),1096800512(domain admins.com),1096800572(denied rodc password replication group.com)

[root@ci-vm-10-0-107-140 ~]# id administrator
id: administrator: no such user
Comment 35 errata-xmlrpc 2021-11-23 17:17:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4793