Bug 791208

Summary: Entries lacking a POSIX username value break group lookups
Product: Red Hat Enterprise Linux 6 Reporter: Stephen Gallagher <sgallagh>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: grajaiya, jgalipea, kbanerje, prc
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.8.0-5.el6 Doc Type: Bug Fix
Doc Text:
Cause: SSSD expects all users in a POSIX-enabled Active Directory group to be POSIX-enabled users. Consequence: If some members of a POSIX-enabled group were lacking the POSIX username attribute, SSSD would return an error when looking up that group. Fix: SSSD ignores non-POSIX group members. Result: SSSD will now return all POSIX-enabled group members and silently ignore non-POSIX members instead of failing the lookup and returning nothing.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 11:55:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stephen Gallagher 2012-02-16 14:06:16 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1169

{{{
(Tue Jan 24 15:30:20 2012) [sssd[be[EXAMPLE.COM]]] [sysdb_search_users]
(0x0400): Search users with filter:
(&(objectclass=user)(originalDN=CN=U329266,OU=site,OU=Users,OU=Accounts,DC=example,DC=com))
(Tue Jan 24 15:30:20 2012) [sssd[be[EXAMPLE.COM]]] [sysdb_search_users]
(0x0400): No such entry
(Tue Jan 24 15:30:20 2012) [sssd[be[EXAMPLE.COM]]] [sysdb_attrs_primary_name]
(0x0020): Could not determine primary name: [22][Invalid argument]
(Tue Jan 24 15:30:20 2012) [sssd[be[EXAMPLE.COM]]]
[sdap_nested_group_populate_users] (0x0020): User entry 7 has no name attribute
}}}

In this case, we are talking to an Active Directory server that had some entries in its search filter that were missing the msSFU30Name attribute. When we were processing a group that contained this user, we would encounter the {{{"Could not determine primary name: [22][Invalid argument]"}}} error and fail. The proper behaviour should be to skip incomplete POSIX entries.
Comment 4 Kaushik Banerjee 2012-04-17 17:12:18 UTC 
Verified in version:

# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.8.0                             Vendor: Red Hat, Inc.
Release     : 22.el6                        Build Date: Mon 09 Apr 2012 07:40:33 PM IST
Install Date: Mon 16 Apr 2012 04:57:02 PM IST      Build Host: x86-003.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.8.0-22.el6.src.rpm
Size        : 7870660                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 5 Stephen Gallagher 2012-06-12 13:36:59 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: SSSD expects all users in a POSIX-enabled Active Directory group to be POSIX-enabled users.

Consequence: If some members of a POSIX-enabled group were lacking the POSIX username attribute, SSSD would return an error when looking up that group.

Fix: SSSD ignores non-POSIX group members.

Result: SSSD will now return all POSIX-enabled group members and silently ignore non-POSIX members instead of failing the lookup and returning nothing.
Comment 7 errata-xmlrpc 2012-06-20 11:55:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0747.html