Red Hat Bugzilla – Full Text Bug Listing
|Summary:||sssd-ldap: filters me out for unknown reason|
|Product:||[Fedora] Fedora||Reporter:||Jan Engelhardt <jengelh>|
|Component:||sssd||Assignee:||Stephen Gallagher <sgallagh>|
|Status:||CLOSED NOTABUG||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||rawhide||CC:||dpal, jhrozek, sbose, sgallagh, ssorce|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2010-08-30 14:30:06 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Jan Engelhardt 2010-08-30 13:48:03 EDT
Description of problem: sssd-ldap filters out the user. Version-Release number of selected component (if applicable): 1.1.0 How reproducible: A different adventure everytime I try to retrofit an install with sssd. Additional details: See attached logfile.
Comment 1 Jan Engelhardt 2010-08-30 13:49:10 EDT
Created attachment 441999 [details] sssd_LDAP.log with debug_level=9
Comment 2 Stephen Gallagher 2010-08-30 13:53:23 EDT
(Mon Aug 30 18:45:24 2010) [sssd[be[LDAP]]] [sdap_save_user_send] (2): User [jengelh] filtered out! (id out of range) Your user ID or primary GID is out of range. On SSSD 1.1.0, we had set the default for min_id at 1000 (which means that if either your UID or primary GID were less than 1000, you would be filtered out). Newer versions default to using a min_id of 1. Try setting: min_id = 1 in your [domain/LDAP] section in sssd.conf.
Comment 3 Jan Engelhardt 2010-08-30 14:18:51 EDT
Yeah I noticed the default of 1000, which should be ok with my uid. An nss_ldap system returns: # id jengelh uid=2034(jengelh) gid=20(cdrom) groups=20(cdrom)
Comment 4 Stephen Gallagher 2010-08-30 14:30:06 EDT
Please read carefully. You have your primary GID set to 20(cdrom). This is why it is getting filtered out.
Comment 5 Jan Engelhardt 2010-08-30 14:31:52 EDT
I think GID filtering should be separated from the UID filter, like nss_ldap did.
Comment 6 Jan Engelhardt 2010-08-30 14:32:59 EDT
(Indeed, the sssd.conf(5) manpage says about min_id: UID limits for the domain. Nowhere did it mention GID.)
Comment 7 Stephen Gallagher 2010-08-30 14:36:41 EDT
The manpage in newer versions of SSSD has fixed this mistake for some time now. SSSD 1.1.0 is five months old now. As I stated above, the resolution is that by default we are not doing UID/GID filtering in newer SSSD versions.
Comment 8 Dmitri Pal 2010-08-30 18:43:18 EDT
We are not documenting them separately because we try to think about them (and encourage everybody share out thinking) as values from one unique number space rather than two values from two different value spaces. While it is natural for UNIX to have them separate it becomes a real pain in the mixed environments or multi domain cases so we think the best approach is to have one global number (and namespace) for users and groups.