1029457 – "getent passwd username" do not work if enumeration is not enabled with AD backend

Bug 1029457 - "getent passwd username" do not work if enumeration is not enabled with AD backend

Summary: "getent passwd username" do not work if enumeration is not enabled with AD ba...

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-12 12:31 UTC by Nirupama Karandikar
Modified:	2016-05-05 04:36 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-14 09:33:44 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Nirupama Karandikar 2013-11-12 12:31:07 UTC

Description of problem:
On sssd-1.11.1-2.el7.x86_64 with ad backend. The "getent passwd sssduser1" do not work if "enumerate = false" is set in sssd.conf. 

Version-Release number of selected component (if applicable):
sssd-1.11.1-2.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Set "enumerate = false" in sssd.conf 
2. Use ad backend against Active Directory
3. Run getent passwd sssduser1, this will give blank output.

Actual results:
The "getent passwd sssduser1" gives blank output.

Expected results:
The "getent passwd sssduser1" should work without any issue.

Additional info:

# getent passwd sssduser1

From domain logs - /var/log/sssd/sssd_ADTEST.log
------------------------------------------
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=sssduser1]
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_step] (0x4000): beginning to connect
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC'
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD_GC'
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [be_mark_offline] (0x2000): Going offline!
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #1
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [ad_account_info_complete] (0x0010): Bug: dp_error is OK on failed request(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,11,Internal Error (Have exhausted maximum number of retries for service)
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [sdap_id_release_conn_data] (0x4000): releasing unused connection
-------------------------------------------

# getent group group1
From domain logs - /var/log/sssd/sssd_ADTEST.log
------------------------------------------
(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [be_get_account_info] (0x0100): Got request for [4098][1][name=group1]
(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_step] (0x4000): beginning to connect
(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC'
(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD_GC'
(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5
(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [be_mark_offline] (0x2000): Going offline!
(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #1
(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [ad_account_info_complete] (0x0010): Bug: dp_error is OK on failed request(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,11,Internal Error (Have exhausted maximum number of retries for service)
-------------------------------------------

If set "enumerate = true" getent works without any issue.

Comment 1 Jakub Hrozek 2013-11-12 12:34:49 UTC

Do fully qualified names work? getent passwd username@ADTEST in your case.

Comment 2 Nirupama Karandikar 2013-11-12 13:02:17 UTC

Hi Jakub,

I tried "getent passwd sssduser1@ADTEST", still it do not work. The domain logs gives same error as previous.

----------------------------------
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=sssduser1]
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_step] (0x4000): beginning to connect
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC'
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD_GC'
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_mark_offline] (0x2000): Going offline!
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #1
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [ad_account_info_complete] (0x0010): Bug: dp_error is OK on failed request(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,11,Internal Error (Have exhausted maximum number of retries for service)
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_release_conn_data] (0x4000): releasing unused connection
----------------------------------

Thanks,

Niru

Comment 4 Lukas Slebodnik 2013-11-12 13:10:27 UTC

(In reply to Nirupama Karandikar from comment #2)
> Hi Jakub,
> 
> I tried "getent passwd sssduser1@ADTEST", still it do not work. The domain
> logs gives same error as previous.
> 
> ----------------------------------
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_get_account_info]
> (0x0100): Got request for [4097][1][name=sssduser1]
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_step]
> (0x4000): beginning to connect
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [fo_resolve_service_send]
> (0x0100): Trying to resolve service 'AD_GC'
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [fo_resolve_service_send]
> (0x0020): No available servers for service 'AD_GC'
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_resolve_server_done]
> (0x1000): Server resolution failed: 5
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^
It look like disabled global catalog on you AD.

> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done]
> (0x0020): Failed to connect, going offline (5 [Input/output error])
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_mark_offline] (0x2000):
> Going offline!
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_run_offline_cb] (0x0080):
> Going offline. Running callbacks.
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done]
> (0x4000): notify offline to op #1
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [ad_account_info_complete]
> (0x0010): Bug: dp_error is OK on failed request(Tue Nov 12 18:29:05 2013)
> [sssd[be[ADTEST]]] [acctinfo_callback] (0x0100): Request processed. Returned
> 3,11,Internal Error (Have exhausted maximum number of retries for service)
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_release_conn_data]
> (0x4000): releasing unused connection

This bug was fixed in the sssd 1.11.2.

Comment 5 Nirupama Karandikar 2013-11-13 05:33:48 UTC

Hi Jakub,

Under NTDS settings on my AD DC, I can see Global Catalog is working on it. Also I am able to telnet to port 3268.


# telnet 10.65.207.124 3268
Trying 10.65.207.124...
Connected to 10.65.207.124.
Escape character is '^]'.

Am I missing anything ?

If I understood correctly, the following error is coming due to AD GC is not reachable. However when enable enumerate it able to pull users/groups at start of the service.

> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done]
> (0x0020): Failed to connect, going offline (5 [Input/output error])

Is "enumerate" doing anything special here ?

Thanks,

Niru

Comment 6 Lukas Slebodnik 2013-11-13 06:53:02 UTC

AD Enumeration reads data from LDAP while regular lookups connect to GC.
It's known bug, but it has not been fixed in upstream yet.
https://fedorahosted.org/sssd/ticket/2142

Comment 7 Jakub Hrozek 2013-11-13 08:50:31 UTC

(In reply to Nirupama Karandikar from comment #5)
> Hi Jakub,
> 
> Under NTDS settings on my AD DC, I can see Global Catalog is working on it.
> Also I am able to telnet to port 3268.
> 
> 
> # telnet 10.65.207.124 3268
> Trying 10.65.207.124...
> Connected to 10.65.207.124.
> Escape character is '^]'.
> 
> Am I missing anything ?
> 
> If I understood correctly, the following error is coming due to AD GC is not
> reachable. However when enable enumerate it able to pull users/groups at
> start of the service.
> 
> > (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done]
> > (0x0020): Failed to connect, going offline (5 [Input/output error])
> 
> Is "enumerate" doing anything special here ?
> 
> Thanks,
> 
> Niru

Can you paste or attach larger portion of the logs or give us access to the linux client you are debugging?

Comment 8 Nirupama Karandikar 2013-11-14 08:28:54 UTC

Hi Jakub,

It seems that there was some temporary issue AD Global Catalogue. It working for me now.

I also tried on newly build RHEL7 and it works for me now.

Niru

Comment 9 Jakub Hrozek 2013-11-14 09:33:44 UTC

(In reply to Nirupama Karandikar from comment #8)
> Hi Jakub,
> 
> It seems that there was some temporary issue AD Global Catalogue. It working
> for me now.
> 
> I also tried on newly build RHEL7 and it works for me now.
> 
> Niru

Great, I'll close the bug for now but please reopen if it hits again.

Note You need to log in before you can comment on or make changes to this bug.