Bug 2000261

Summary: extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT
Product: Red Hat Enterprise Linux 7 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.9CC: amore, jreznik, ksiddiqu, rcritten, sbose, tapazogl, tscherf
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.8-5.el7_9.9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2000263 2000269 (view as bug list) Environment:
Last Closed: 2021-10-12 15:28:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2000263, 2000269    

Description Rob Crittenden 2021-09-01 17:23:47 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/8965

[description of the issue]
The fix for #8044 in commit 9fe984fed7a7091bd1366be95fdfa2f56f777bb8 replaced the LDAP_NO_SUCH_OBJECT error code at two places where it was actually correct. As a result lookups for UIDs or GIDs will return the generic LDAP_OPERATIONS_ERROR to clients if the UID or GID is coming from a different domain than the requested. Since the given UID or GID does not exists in the domain LDAP_NO_SUCH_OBJECT is the right return code and would help the client to act accordingly.

#### Steps to Reproduce
1. Setup IPA with trust to AD
2. Set the domain resolution order so that the trusted AD domain is looked up first
3. On an IPA client call `getent passwd UID_of_an_IPA_user` or `getent group GID_Of-IPA_group`

#### Actual behavior
With `debug_level = 9` in the `sssd_nss.log` messages like `Data Provider Error: 3, 1432158230, Network I/O Error` and in the backend log messages like `ldap_extended_operation result: Operations error(1), Failed to handle the request.` can be seen.

#### Expected behavior
Nss responder and backend log should just indicate that the given UID or GID is not present in the given domain.

#### Version/Release/Distribution
ipa-4.6 and above, all versions where fox for #8044 was applied.
Comment 3 Rob Crittenden 2021-09-01 17:47:58 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/d743219a9ae8a0ec9978dcbdd81eb89b7fd707f4
Comment 4 Florence Blanc-Renaud 2021-09-02 18:46:56 UTC 
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/5604b7ed045cc9b9e51dd2c57319974be84de2cf
Comment 5 Florence Blanc-Renaud 2021-09-02 18:48:09 UTC 
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/decccb1a8b857c41ff1c278806ca5692417b0e30
Comment 6 Florence Blanc-Renaud 2021-09-02 18:49:18 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/4fca95751ca32a1ed16a6d8a4e557c5799ec5c78
Comment 10 anuja 2021-09-21 11:38:33 UTC 
[root@client ~]# rpm -qa ipa-client
ipa-client-4.6.8-5.el7_9.7.x86_64

[root@client ~]# ipa config-show | grep resolution
  Domain resolution order: dom7oo2.test:a20q0.test
[root@client ~]# 
[root@client ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd; sleep 6
[root@client ~]# id aduser1.test
uid=441801107(aduser1.test) gid=441801107(aduser1.test) groups=441801107(aduser1.test),441800513(domain users.test)
[root@client ~]# date; getent group 441801107
Tue Sep 21 07:30:50 EDT 2021
aduser1.test:*:441801107:
[root@client ~]# date ; getent passwd 441801107
Tue Sep 21 07:31:06 EDT 2021
aduser1.test:*:441801107:441801107:aduser1:/home/sub7oo2.dom7oo2.test/aduser1:
[root@client ~]# grep -rn "Data Provider Error: 3" /var/log/*
/var/log/sssd/sssd_nss.log:3669:(2021-09-21  6:59:13): [nss] [cache_req_common_dp_recv] (0x0040): CR #0: Data Provider Error: 3, 1432158229, Network I/O Error
/var/log/sssd/sssd_nss.log:3860:(2021-09-21  7:02:27): [nss] [cache_req_common_dp_recv] (0x0040): CR #3: Data Provider Error: 3, 1432158229, Network I/O Error
/var/log/sssd/sssd_nss.log:3967:(2021-09-21  7:02:27): [nss] [cache_req_common_dp_recv] (0x0040): CR #5: Data Provider Error: 3, 1432158229, Network I/O Error
/var/log/sssd/sssd_nss.log:4357:(2021-09-21  7:30:33): [nss] [sss_dp_get_account_domain_recv] (0x0040): Data Provider Error: 3, 1432158300
/var/log/sssd/sssd_nss.log:4380:(2021-09-21  7:30:33): [nss] [cache_req_common_dp_recv] (0x0040): CR #1: Data Provider Error: 3, 1432158229, Network I/O Error
/var/log/sssd/sssd_nss.log:4498:(2021-09-21  7:30:33): [nss] [cache_req_common_dp_recv] (0x0040): CR #3: Data Provider Error: 3, 1432158229, Network I/O Error
[root@client ~]# 

++++++++++++++++++++++++++++++++++++++++++++++

[root@client ~]# rpm -qa ipa-client
ipa-client-4.6.8-5.el7_9.9.x86_64
[root@client ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd; sleep 6
[root@client ~]# date ; id aduser1.test
Tue Sep 21 07:33:11 EDT 2021
uid=441801107(aduser1.test) gid=441801107(aduser1.test) groups=441801107(aduser1.test),441800513(domain users.test)
[root@client ~]# date; getent group 441801107
Tue Sep 21 07:33:25 EDT 2021
aduser1.test:*:441801107:
[root@client ~]# date ; getent passwd 441801107
Tue Sep 21 07:33:36 EDT 2021
aduser1.test:*:441801107:441801107:aduser1:/home/sub7oo2.dom7oo2.test/aduser1:
[root@client ~]# grep -rn "Data Provider Error: 3" /var/log/*
/var/log/sssd/sssd_nss.log:1228:(2021-09-21  6:04:03): [nss] [sss_dp_get_account_domain_recv] (0x0040): Data Provider Error: 3, 1432158300
/var/log/sssd/sssd_nss.log:1360:(2021-09-21  6:04:10): [nss] [sss_dp_get_account_domain_recv] (0x0040): Data Provider Error: 3, 1432158300
/var/log/sssd/sssd_nss.log:2144:(2021-09-21  7:33:11): [nss] [sss_dp_get_account_domain_recv] (0x0040): Data Provider Error: 3, 1432158300
[root@client ~]# ipa config-show | grep resolution
  Domain resolution order: dom7oo2.test:a0j1u.test
[root@client ~]#
Comment 11 Sumit Bose 2021-09-21 12:06:43 UTC 
Hi,

it looks like using a UID or GID from another domain in the trusted forest can reproduce the issue even more easily. The important step is that a different AD domain is listed before in the domain resolution order.

bye,
Sumit
Comment 15 errata-xmlrpc 2021-10-12 15:28:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3800