Bug 628672

Summary: sssd-ldap: filters me out for unknown reason
Product: [Fedora] Fedora Reporter: Jan Engelhardt <jengelh>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dpal, jhrozek, sbose, sgallagh, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-30 14:30:06 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Description Flags
sssd_LDAP.log with debug_level=9 none

Description Jan Engelhardt 2010-08-30 13:48:03 EDT
Description of problem:
sssd-ldap filters out the user.

Version-Release number of selected component (if applicable):

How reproducible:
A different adventure everytime I try to retrofit an install with sssd.

Additional details:
See attached logfile.
Comment 1 Jan Engelhardt 2010-08-30 13:49:10 EDT
Created attachment 441999 [details]
sssd_LDAP.log with debug_level=9
Comment 2 Stephen Gallagher 2010-08-30 13:53:23 EDT
(Mon Aug 30 18:45:24 2010) [sssd[be[LDAP]]] [sdap_save_user_send] (2): User [jengelh] filtered out! (id out of range)

Your user ID or primary GID is out of range. On SSSD 1.1.0, we had set the default for min_id at 1000 (which means that if either your UID or primary GID were less than 1000, you would be filtered out).

Newer versions default to using a min_id of 1. Try setting:
min_id = 1
in your [domain/LDAP] section in sssd.conf.
Comment 3 Jan Engelhardt 2010-08-30 14:18:51 EDT
Yeah I noticed the default of 1000, which should be ok with my uid.
An nss_ldap system returns:

# id jengelh
uid=2034(jengelh) gid=20(cdrom) groups=20(cdrom)
Comment 4 Stephen Gallagher 2010-08-30 14:30:06 EDT
Please read carefully. You have your primary GID set to 20(cdrom). This is why it is getting filtered out.
Comment 5 Jan Engelhardt 2010-08-30 14:31:52 EDT
I think GID filtering should be separated from the UID filter, like nss_ldap did.
Comment 6 Jan Engelhardt 2010-08-30 14:32:59 EDT
(Indeed, the sssd.conf(5) manpage says about min_id: UID limits for the domain. Nowhere did it mention GID.)
Comment 7 Stephen Gallagher 2010-08-30 14:36:41 EDT
The manpage in newer versions of SSSD has fixed this mistake for some time now.

SSSD 1.1.0 is five months old now.

As I stated above, the resolution is that by default we are not doing UID/GID filtering in newer SSSD versions.
Comment 8 Dmitri Pal 2010-08-30 18:43:18 EDT
We are not documenting them separately because we try to think about them (and encourage everybody share out thinking) as values from one unique number space rather than two values from two different value spaces. While it is natural for UNIX to have them separate it becomes a real pain in the mixed environments or multi domain cases so we think the best approach is to have one global number (and namespace) for users and groups.