Bug 2219138
| Summary: | [RFE] ipa user-add should warn when it cannot create a SID because uid is out of range | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | tru |
| Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> |
| Status: | NEW --- | QA Contact: | ipa-qe |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.2 | CC: | rcritten, tscherf, youssef.ghorbal |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
tru
2023-07-02 12:23:13 UTC
The sidgen plugin (the plugin that is generating the ipantsecurityidentifier) is triggered on user creation, even if --uid is provided. But it can generate a SID only if the uid is within an existing id range. Can you check on your installation: - which ID ranges are defined: # kinit admin # ipa idrange-find - if there is an error in the directory server error logs (/var/log/dirsrv/slap-DOMAIN-NAME/errors) similar to the following when a new user is created with a provided uid: [03/Jul/2023:06:19:27.761510134 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [2000] into an unused SID. [03/Jul/2023:06:19:27.765214399 +0000] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 149]: Cannot add SID to new entry. Hello Florence That make sense, RFE some warning/errors should be shown when the ipantsecurityidentifier is not generated as expected. Here is the info requested: ``` [truadm@wd22-2025 ~]$ ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: RHEL9.SIA_id_range First Posix ID of the range: 1759400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range Range name: RHEL9.SIA_subid_range First Posix ID of the range: 2147483648 Number of IDs in the range: 2147352576 First RID of the corresponding RID range: 2147283648 Domain SID of the trusted domain: S-1-5-21-738065-838566-1547823303 Range type: Active Directory domain range ---------------------------- Number of entries returned 2 ---------------------------- ``` /var/log/dirsrv/slapd-RHEL9-SIA/errors: ``` [02/Jul/2023:13:33:08.170775670 +0200] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [2000] into an unused SID. [02/Jul/2023:13:33:08.171286895 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 149]: Cannot add SID to new entry. [02/Jul/2023:13:37:36.738145777 +0200] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [2000] into an unused SID. [02/Jul/2023:13:37:36.738663137 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 149]: Cannot add SID to new entry. ``` The IPA SIDGEN plugin is defined as a postoperation plugin => when IPA gets the result of the add/modify operation, the plugin may have not be executed yet and IPA has no idea whether the sid generation succeeds or fails. We have multiple options here: - when a uid/gid is provided (user-add/user-mod/group-add/group-mod), check if the uid/gid is outside of the defined ranges. If outside, add a warning but create the user or group anyway - when a uid/gid is provided (user-add/user-mod/group-add/group-mod), check if the uid/gid is outside of the defined ranges. If outside, refuse to create the user/group - evaluate the cost of rewriting the plugin as a transaction post-op plugin. To be discussed at team level. I have installed a fresh Fedora 38 and this is also the case:
[truadm@ipa ~]$ rpm -q freeipa-server freeipa-client
freeipa-server-4.10.1-4.fc38.x86_64
freeipa-client-4.10.1-4.fc38.x86_64
[truadm@lts2004-nuc ~]$ klist
Ticket cache: KCM:1000
Default principal: admin
Valid starting Expires Service principal
07/04/2023 09:02:00 07/05/2023 08:20:50 krbtgt/HOME.LAN
[truadm@nuc ~]$ ipa user-add toto --first=t --last=oto
-----------------
Added user "toto"
-----------------
User login: toto
First name: t
Last name: oto
Full name: t oto
Display name: t oto
Initials: to
Home directory: /home/toto
GECOS: t oto
Login shell: /bin/sh
Principal name: toto
Principal alias: toto
Email address: toto
UID: 1779600003
GID: 1779600003
Password: False
Member of groups: ipausers
Kerberos keys available: False
[truadm@nuc ~]$ ipa user-find toto --all
--------------
1 user matched
--------------
dn: uid=toto,cn=users,cn=accounts,dc=home,dc=lan
User login: toto
First name: t
Last name: oto
Full name: t oto
Display name: t oto
Initials: to
Home directory: /home/toto
GECOS: t oto
Login shell: /bin/sh
Principal name: toto
Principal alias: toto
Email address: toto
UID: 1779600003
GID: 1779600003
Account disabled: False
Preserved user: False
Member of groups: ipausers
ipantsecurityidentifier: S-1-5-21-1964266303-1880706590-3447306255-1003
ipauniqueid: b95e6950-1a38-11ee-8b4f-c03fd56b882d
mepmanagedentry: cn=toto,cn=groups,cn=accounts,dc=home,dc=lan
objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs
----------------------------
Number of entries returned 1
----------------------------
[truadm@nuc ~]$ ipa user-del toto
-------------------
Deleted user "toto"
-------------------
[truadm@nuc ~]$ ipa user-add toto --first=t --last=oto --uid=2000
-----------------
Added user "toto"
-----------------
User login: toto
First name: t
Last name: oto
Full name: t oto
Display name: t oto
Initials: to
Home directory: /home/toto
GECOS: t oto
Login shell: /bin/sh
Principal name: toto
Principal alias: toto
Email address: toto
UID: 2000
GID: 2000
Password: False
Member of groups: ipausers
Kerberos keys available: False
[truadm@nuc ~]$ ipa user-find toto --all
--------------
1 user matched
--------------
dn: uid=toto,cn=users,cn=accounts,dc=home,dc=lan
User login: toto
First name: t
Last name: oto
Full name: t oto
Display name: t oto
Initials: to
Home directory: /home/toto
GECOS: t oto
Login shell: /bin/sh
Principal name: toto
Principal alias: toto
Email address: toto
UID: 2000
GID: 2000
Account disabled: False
Preserved user: False
Member of groups: ipausers
ipauniqueid: ce0ae8a6-1a38-11ee-ba39-c03fd56b882d
mepmanagedentry: cn=toto,cn=groups,cn=accounts,dc=home,dc=lan
objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry
----------------------------
Number of entries returned 1
----------------------------
can this be RFE upstream too?
Thanks
Tru
(In reply to tru from comment #5) > can this be RFE upstream too? ipa development is done upstream first. When the team decides on a proper way to fix the issue, the patch will be submitted with an upstream PR to https://github.com/freeipa/freeipa/ and the code merged to https://pagure.io/freeipa. |