Bug 861132
Summary: | Domains overlap in range 1 - 4294967295 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stef Walter <stefw> |
Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 18 | CC: | jhrozek, sbose, sgallagh, ssorce |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-12-20 15:51:00 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Stef Walter
2012-09-27 15:26:48 UTC
Hi Stef! I think you're actually seeing intended behaviour. The SSSD contains min_id and max_id filters. Back when the SSSD started, the min_id parameter defaulted to something like 1000 so that the local IDs would be automatically filtered out. However, we quickly realized that many users are running (arguably wrong) configurations where the entries stored in LDAP fall into the same ID ranges as the local users/groups, so we just lowered the min_id param to 1 so all entries that are actually stored in LDAP are returned. Do you think there is a way to autoconfigure the min_id/max_id limits from an AD server? I'm open to suggestions, but at least in the generic LDAP case I don't think there's much do to and we just let the admin configure the limits on his own.. I think the only real bug here is that the error message is at such a low debug level. We should probably be logging this at SSSDBG_CONF_SETTINGS, not SSSDBG_MINOR_FAILURE. In real practice, it's not actually an error. As long as the domains don't truly have overlapping IDs, it should be okay. One thing we might want to do though is ensure that ldap_idmap_range_min sets min_id implicitly. This would help somewhat. So the upshort of this is that we can't guarantee uid/gids from multiple domains not to collide in sssd, unless those domains: * Coordinate their UID/GID allocations with one another. * Are all AD domains using the idmap stuff. Is that a correct assumption? I'd say only the coordination is correct. Even if they're using the idmap stuff, there's a slight risk that separate SSSD domains would overlap, if by unlucky coincidence the two domains hashed to the same range. If they are two domains in the forest but only handled as a single SSSD domain, then the ID-mapping hash handles collisions in a single domain properly. Of course, right now we don't fully support multiple domains in a forest because there is not yet a subdomain provider for the AD provider. Sounds to me like there is no bug, is there? Can I close this bugzilla? (In reply to comment #5) > Sounds to me like there is no bug, is there? Can I close this bugzilla? I'd close it. The only question is whether we should change the log level of the message. (In reply to comment #6) > (In reply to comment #5) > > Sounds to me like there is no bug, is there? Can I close this bugzilla? > > I'd close it. The only question is whether we should change the log level of > the message. Right, the CRIT_FAILURE is too restrictive. Upstream ticket: https://fedorahosted.org/sssd/ticket/1562 sssd-1.9.1-1.fc18,libldb-1.1.13-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/sssd-1.9.1-1.fc18,libldb-1.1.13-1.fc18 Package sssd-1.9.1-1.fc18, libldb-1.1.13-1.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sssd-1.9.1-1.fc18 libldb-1.1.13-1.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-15595/sssd-1.9.1-1.fc18,libldb-1.1.13-1.fc18 then log in and leave karma (feedback). sssd-1.9.1-1.fc18, libldb-1.1.13-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |