Bug 2032867
Summary: | AD Domain in the AD Forest Missing after sssd latest update | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Amiel <amiel.manzano> | ||||||||||
Component: | sssd | Assignee: | Sumit Bose <sbose> | ||||||||||
Status: | CLOSED ERRATA | QA Contact: | Dan Lavu <dlavu> | ||||||||||
Severity: | high | Docs Contact: | |||||||||||
Priority: | unspecified | ||||||||||||
Version: | 7.9 | CC: | asakure, asharov, atikhono, bthekkep, ccallaha, dcarmich, dchen, grajaiya, hartsjc, jhrozek, jreznik, jwooten, lslebodn, mrhodes, mzidek, nsuryawa, pbrezina, pkulkarn, riehecky, sbose, sgoveas, tscherf, vvanhaft | ||||||||||
Target Milestone: | rc | Keywords: | Triaged, ZStream | ||||||||||
Target Release: | --- | ||||||||||||
Hardware: | x86_64 | ||||||||||||
OS: | Linux | ||||||||||||
Whiteboard: | sync-to-jira | ||||||||||||
Fixed In Version: | sssd-1.16.5-10.el7_9.12 | Doc Type: | If docs needed, set a value | ||||||||||
Doc Text: | Story Points: | --- | |||||||||||
Clone Of: | |||||||||||||
: | 2035244 2035245 (view as bug list) | Environment: | |||||||||||
Last Closed: | 2022-02-22 17:03:55 UTC | Type: | Bug | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Bug Depends On: | |||||||||||||
Bug Blocks: | 2035244, 2035245 | ||||||||||||
Attachments: |
|
Description
Amiel
2021-12-15 12:23:43 UTC
(In reply to Amiel from comment #0) > > Version-Release number of selected component (if applicable): > sssd-1.16.5-10.el7_9.11 ... > When the same command is executed on sssd-1.16.5-10.el7_9.10 the apac and > amr domain are not removed. We haven't change any configuration after the > upgrade. Sumit, is this side effect of bz 1984591? Hi, this sounds similar to an issue I'm currently working on. Would it be possible to attach SSSD debug logs to this ticket? If yes, please set 'debug_level = 9' in the [domain/...] section of sssd.conf, restart SSSD, lookup a user from a non-existing domain like 'getent passwd bla.bla' and attach the resulting log file to the ticket. @alexey, yes but it only triggers an issue in another part of the code (assuming it is the issue I'm thinking of). bye, Sumit Created attachment 1846548 [details]
Test build with a potential fix
Hi,
please find attached a tar ball with test build with a potential fix. Please let me know if it fixes the issue for you and if not send lofs if possible.
bye,
Sumit
Created attachment 1846595 [details]
sssd log requested
Hi Sumit,
See the attached file. Note: There are domains that you can ignore. I name them ignoreme.domain and ignoremeagain.domain.
In my test, I tried a dummy domain domain.test and a domain that is missing from sssctl domain-list - apac.global.domain.
(In reply to Amiel from comment #6) > Created attachment 1846595 [details] > sssd log requested > > Hi Sumit, > > See the attached file. Note: There are domains that you can ignore. I name > them ignoreme.domain and ignoremeagain.domain. > > In my test, I tried a dummy domain domain.test and a domain that is missing > from sssctl domain-list - apac.global.domain. Hi, the logs looks very much like the issue which should be fixed by the test build attached to this ticket. Please let me know if it works for you. bye, Sumit Hi Sumit, It works! It now can detect the other region in the forest! Can we push this as a fix? Cheers! :) Upstream ticket: https://github.com/SSSD/sssd/issues/5926 (In reply to Amiel from comment #8) > Hi Sumit, > > It works! It now can detect the other region in the forest! Can we push this > as a fix? > > Cheers! :) Hi, thank you for the fast feedback. I create pull-request with the fix at https://github.com/SSSD/sssd/pull/5927 to get the fix included upstream. bye, Sumit Hi, besides having an unexpected value the the 'trustAttribute' LDAP attribute in the trusted domain object of the forest root if might be possible to reproduce this issues when joining to a grand-child domain and then trying to lookup a user or a group from another domain in the forest which is neither the forest root not the parent of the joined domain. So at least 4 domains are needed: forest-root | |----another-domain | |----child-domain | |----grandchild-domain bye, Sumit Thank You Sumit for the fix. Usually, in our end the issue is when we add the server into a child-domain and tried to lookup user from another-domain and groups from another-domain/forest-root. Upstream PR: https://github.com/SSSD/sssd/pull/5927 Pushed PR: https://github.com/SSSD/sssd/pull/5927 * `master` * bf6059eb55c8caa3111ef718db1676c96a67c084 - ad: add required 'cn' attribute to subdomain object * `sssd-1-16` * 64192cf7c2823ae93820623b0ae285b697fabe12 - ad: add required 'cn' attribute to subdomain object *** Bug 2043671 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:0627 |