Bug 2000263

Summary: extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT
Product: Red Hat Enterprise Linux 8 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.5CC: frenaud, ipa-qe, ksiddiqu, lmiksik, rcritten, ssidhaye, sumenon, tscherf, twoerner
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: idm-client-8050020210913151510.de73ecb2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2000261
: 2002729 (view as bug list) Environment:
Last Closed: 2021-11-09 18:29:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2000261, 2000269    
Bug Blocks: 2002729    

Description Rob Crittenden 2021-09-01 17:31:40 UTC 
+++ This bug was initially created as a clone of Bug #2000261 +++

This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/8965

[description of the issue]
The fix for #8044 in commit 9fe984fed7a7091bd1366be95fdfa2f56f777bb8 replaced the LDAP_NO_SUCH_OBJECT error code at two places where it was actually correct. As a result lookups for UIDs or GIDs will return the generic LDAP_OPERATIONS_ERROR to clients if the UID or GID is coming from a different domain than the requested. Since the given UID or GID does not exists in the domain LDAP_NO_SUCH_OBJECT is the right return code and would help the client to act accordingly.

#### Steps to Reproduce
1. Setup IPA with trust to AD
2. Set the domain resolution order so that the trusted AD domain is looked up first
3. On an IPA client call `getent passwd UID_of_an_IPA_user` or `getent group GID_Of-IPA_group`

#### Actual behavior
With `debug_level = 9` in the `sssd_nss.log` messages like `Data Provider Error: 3, 1432158230, Network I/O Error` and in the backend log messages like `ldap_extended_operation result: Operations error(1), Failed to handle the request.` can be seen.

#### Expected behavior
Nss responder and backend log should just indicate that the given UID or GID is not present in the given domain.

#### Version/Release/Distribution
ipa-4.6 and above, all versions where fox for #8044 was applied.
Comment 1 Rob Crittenden 2021-09-01 17:47:36 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/d743219a9ae8a0ec9978dcbdd81eb89b7fd707f4
Comment 2 Florence Blanc-Renaud 2021-09-02 18:47:00 UTC 
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/5604b7ed045cc9b9e51dd2c57319974be84de2cf
Comment 3 Florence Blanc-Renaud 2021-09-02 18:48:12 UTC 
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/decccb1a8b857c41ff1c278806ca5692417b0e30
Comment 4 Florence Blanc-Renaud 2021-09-02 18:49:29 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/4fca95751ca32a1ed16a6d8a4e557c5799ec5c78
Comment 22 errata-xmlrpc 2021-11-09 18:29:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4230