Bug 799915

Summary: Unable to lookup netgroups with case_sensitive=false.
Product: Red Hat Enterprise Linux 6 Reporter: Kaushik Banerjee <kbanerje>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: grajaiya, jgalipea, jhrozek, prc
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.8.0-12.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 11:55:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Kaushik Banerjee 2012-03-05 12:09:31 UTC 
Description of problem:
Unable to lookup netgroups with case_sensitive=false

Version-Release number of selected component (if applicable):
sssd-1.8.0-11

How reproducible:
Always

Steps to Reproduce:
1. Add a netgroup in ldap server:
dn: cn=NetGroup4,ou=Netgroup,dc=example,dc=com
objectClass: nisNetgroup
cn: NetGroup4_Alias
cn: NetGroup4
nisNetgroupTriple: (Host1.example.com,User1,example.com)
nisNetgroupTriple: (host2.example.com,user2,Example.com)
description: All users in my organization

2. Setup sssd.conf domain section as:
[domain/LDAP]
debug_level=0xFFF0
id_provider = ldap
ldap_uri = ldap://ldapserver.example.com
ldap_search_base = dc=example,dc=com?subtree?
ldap_tls_cacert = /etc/openldap/cacerts/server.pem
case_sensitive = false

3. Lookup the netgroup.

Actual results:
"getent netgroup netgroup4" returns nothing.

Expected results:
Should be able to lookup the netgroup.

Additional info:

sssd_domain.log shows:

<snip>

(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_get_netgroups_next_base] (0x0400): Searching for netgroups with base [dc=example,dc=com]
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=netgroup4)(objectclass=nisNetgroup))][dc=example,dc=com].
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberNisNetgroup]
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nisNetgroupTriple]
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId]
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 3
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_id_op_connect_done] (0x4000): caching successful connection after 1 notifies
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x17a0bb0], connected[1], ops[0x179bb90], ldap[0x179f230]
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x17a0bb0], connected[1], ops[0x179bb90], ldap[0x179f230]
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_parse_entry] (0x4000): OriginalDN: [cn=NetGroup4,ou=Netgroup,dc=example,dc=com].
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x17a0bb0], connected[1], ops[0x179bb90], ldap[0x179f230]
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_get_netgroups_process] (0x0400): Search for netgroups, returned 1 results.
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [netgr_translate_members_send] (0x1000): Missing netgroup members.
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [netgr_translate_members_send] (0x4000): No DNs found among netgroup members.
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [cn=NetGroup4,ou=Netgroup,dc=example,dc=com] to attributes of [NetGroup4_Alias].
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding netgroup triple [(Host1.example.com,User1,example.com)] to attributes of [NetGroup4_Alias].
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding netgroup triple [(host2.example.com,user2,Example.com)] to attributes of [NetGroup4_Alias].
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_attrs_add_ldap_attr] (0x2000): original members is not available for [NetGroup4_Alias].
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_attrs_add_ldap_attr] (0x2000): members is not available for [NetGroup4_Alias].
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sdap_save_netgroup] (0x0400): Storing info for netgroup NetGroup4_Alias
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sysdb_attrs_get_aliases] (0x2000): Domain is case-insensitive; will add lowercased aliases
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): start ldb transaction (nesting: 1)
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): tevent: Added timed event "ltdb_callback": 0x1789180

(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): tevent: Added timed event "ltdb_timeout": 0x17892a0

(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): tevent: Destroying timer event 0x17892a0 "ltdb_timeout"

(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): tevent: Ending timer event 0x1789180 "ltdb_callback"

(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): cancel ldb transaction (nesting: 1)
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sysdb_add_basic_netgroup] (0x0400): Error: 17 (File exists)
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): start ldb transaction (nesting: 1)
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): tevent: Added timed event "ltdb_callback": 0x1790b50

(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): tevent: Added timed event "ltdb_timeout": 0x1790c00

(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): tevent: Destroying timer event 0x1790c00 "ltdb_timeout"

(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): tevent: Ending timer event 0x1790b50 "ltdb_callback"

(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): commit ldb transaction (nesting: 1)
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): start ldb transaction (nesting: 1)
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sysdb_remove_attrs] (0x2000): Removing attribute [originalMemberNisNetgroup] from [NetGroup4_Alias]
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): start ldb transaction (nesting: 2)
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): tevent: Added timed event "ltdb_callback": 0x179ab90

(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): tevent: Added timed event "ltdb_timeout": 0x17892a0

(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): tevent: Destroying timer event 0x17892a0 "ltdb_timeout"

(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): tevent: Ending timer event 0x179ab90 "ltdb_callback"

(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): cancel ldb transaction (nesting: 2)
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [sysdb_remove_attrs] (0x2000): Removing attribute [uniqueID] from [NetGroup4_Alias]
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): start ldb transaction (nesting: 2)
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): tevent: Added timed event "ltdb_callback": 0x17892a0

(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): tevent: Added timed event "ltdb_timeout": 0x179ab90

(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): tevent: Destroying timer event 0x179ab90 "ltdb_timeout"

(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): tevent: Ending timer event 0x17892a0 "ltdb_callback"

(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): cancel ldb transaction (nesting: 2)
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): commit ldb transaction (nesting: 1)
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Mon Mar  5 15:29:04 2012) [sssd[be[LDAP]]] [netgr_translate_members_done] (0x4000): Saving 1 Netgroups - Done

</snip>
Comment 2 Jakub Hrozek 2012-03-05 12:20:32 UTC 
The root cause is that when fetching the data from sysdb after a cache update, we search by DN, which contains the original name, not the lowercased. We need to search by both name and nameAlias.
Comment 3 Jakub Hrozek 2012-03-05 12:21:28 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1228
Comment 7 Kaushik Banerjee 2012-04-02 19:40:18 UTC 
Verified in version:

# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.8.0                             Vendor: Red Hat, Inc.
Release     : 20.el6                        Build Date: Fri 30 Mar 2012 06:45:57 PM IST
Install Date: Mon 02 Apr 2012 05:36:37 PM IST      Build Host: x86-002.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.8.0-20.el6.src.rpm
Size        : 7865577                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 8 Jakub Hrozek 2012-04-03 18:28:27 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed
Comment 10 errata-xmlrpc 2012-06-20 11:55:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0747.html