RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1029457 - "getent passwd username" do not work if enumeration is not enabled with AD backend
Summary: "getent passwd username" do not work if enumeration is not enabled with AD ba...
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-12 12:31 UTC by Nirupama Karandikar
Modified: 2016-05-05 04:36 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-14 09:33:44 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Nirupama Karandikar 2013-11-12 12:31:07 UTC 
Description of problem:
On sssd-1.11.1-2.el7.x86_64 with ad backend. The "getent passwd sssduser1" do not work if "enumerate = false" is set in sssd.conf. 

Version-Release number of selected component (if applicable):
sssd-1.11.1-2.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Set "enumerate = false" in sssd.conf 
2. Use ad backend against Active Directory
3. Run getent passwd sssduser1, this will give blank output.

Actual results:
The "getent passwd sssduser1" gives blank output.

Expected results:
The "getent passwd sssduser1" should work without any issue.

Additional info:

# getent passwd sssduser1

From domain logs - /var/log/sssd/sssd_ADTEST.log
------------------------------------------
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=sssduser1]
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_step] (0x4000): beginning to connect
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC'
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD_GC'
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [be_mark_offline] (0x2000): Going offline!
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #1
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [ad_account_info_complete] (0x0010): Bug: dp_error is OK on failed request(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,11,Internal Error (Have exhausted maximum number of retries for service)
(Tue Nov 12 17:29:12 2013) [sssd[be[ADTEST]]] [sdap_id_release_conn_data] (0x4000): releasing unused connection
-------------------------------------------

# getent group group1
From domain logs - /var/log/sssd/sssd_ADTEST.log
------------------------------------------
(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [be_get_account_info] (0x0100): Got request for [4098][1][name=group1]
(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_step] (0x4000): beginning to connect
(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC'
(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD_GC'
(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5
(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [be_mark_offline] (0x2000): Going offline!
(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #1
(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [ad_account_info_complete] (0x0010): Bug: dp_error is OK on failed request(Tue Nov 12 17:27:47 2013) [sssd[be[ADTEST]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,11,Internal Error (Have exhausted maximum number of retries for service)
-------------------------------------------

If set "enumerate = true" getent works without any issue.
Comment 1 Jakub Hrozek 2013-11-12 12:34:49 UTC 
Do fully qualified names work? getent passwd username@ADTEST in your case.
Comment 2 Nirupama Karandikar 2013-11-12 13:02:17 UTC 
Hi Jakub,

I tried "getent passwd sssduser1@ADTEST", still it do not work. The domain logs gives same error as previous.

----------------------------------
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=sssduser1]
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_step] (0x4000): beginning to connect
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC'
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD_GC'
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_mark_offline] (0x2000): Going offline!
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #1
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [ad_account_info_complete] (0x0010): Bug: dp_error is OK on failed request(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,11,Internal Error (Have exhausted maximum number of retries for service)
(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_release_conn_data] (0x4000): releasing unused connection
----------------------------------

Thanks,

Niru
Comment 4 Lukas Slebodnik 2013-11-12 13:10:27 UTC 
(In reply to Nirupama Karandikar from comment #2)
> Hi Jakub,
> 
> I tried "getent passwd sssduser1@ADTEST", still it do not work. The domain
> logs gives same error as previous.
> 
> ----------------------------------
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_get_account_info]
> (0x0100): Got request for [4097][1][name=sssduser1]
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_step]
> (0x4000): beginning to connect
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [fo_resolve_service_send]
> (0x0100): Trying to resolve service 'AD_GC'
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [fo_resolve_service_send]
> (0x0020): No available servers for service 'AD_GC'
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_resolve_server_done]
> (0x1000): Server resolution failed: 5
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^
It look like disabled global catalog on you AD.

> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done]
> (0x0020): Failed to connect, going offline (5 [Input/output error])
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_mark_offline] (0x2000):
> Going offline!
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_run_offline_cb] (0x0080):
> Going offline. Running callbacks.
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done]
> (0x4000): notify offline to op #1
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [ad_account_info_complete]
> (0x0010): Bug: dp_error is OK on failed request(Tue Nov 12 18:29:05 2013)
> [sssd[be[ADTEST]]] [acctinfo_callback] (0x0100): Request processed. Returned
> 3,11,Internal Error (Have exhausted maximum number of retries for service)
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_release_conn_data]
> (0x4000): releasing unused connection

This bug was fixed in the sssd 1.11.2.
Comment 5 Nirupama Karandikar 2013-11-13 05:33:48 UTC 
Hi Jakub,

Under NTDS settings on my AD DC, I can see Global Catalog is working on it. Also I am able to telnet to port 3268.


# telnet 10.65.207.124 3268
Trying 10.65.207.124...
Connected to 10.65.207.124.
Escape character is '^]'.

Am I missing anything ?

If I understood correctly, the following error is coming due to AD GC is not reachable. However when enable enumerate it able to pull users/groups at start of the service.

> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done]
> (0x0020): Failed to connect, going offline (5 [Input/output error])

Is "enumerate" doing anything special here ?

Thanks,

Niru
Comment 6 Lukas Slebodnik 2013-11-13 06:53:02 UTC 
AD Enumeration reads data from LDAP while regular lookups connect to GC.
It's known bug, but it has not been fixed in upstream yet.
https://fedorahosted.org/sssd/ticket/2142
Comment 7 Jakub Hrozek 2013-11-13 08:50:31 UTC 
(In reply to Nirupama Karandikar from comment #5)
> Hi Jakub,
> 
> Under NTDS settings on my AD DC, I can see Global Catalog is working on it.
> Also I am able to telnet to port 3268.
> 
> 
> # telnet 10.65.207.124 3268
> Trying 10.65.207.124...
> Connected to 10.65.207.124.
> Escape character is '^]'.
> 
> Am I missing anything ?
> 
> If I understood correctly, the following error is coming due to AD GC is not
> reachable. However when enable enumerate it able to pull users/groups at
> start of the service.
> 
> > (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done]
> > (0x0020): Failed to connect, going offline (5 [Input/output error])
> 
> Is "enumerate" doing anything special here ?
> 
> Thanks,
> 
> Niru

Can you paste or attach larger portion of the logs or give us access to the linux client you are debugging?
Comment 8 Nirupama Karandikar 2013-11-14 08:28:54 UTC 
Hi Jakub,

It seems that there was some temporary issue AD Global Catalogue. It working for me now.

I also tried on newly build RHEL7 and it works for me now.

Niru
Comment 9 Jakub Hrozek 2013-11-14 09:33:44 UTC 
(In reply to Nirupama Karandikar from comment #8)
> Hi Jakub,
> 
> It seems that there was some temporary issue AD Global Catalogue. It working
> for me now.
> 
> I also tried on newly build RHEL7 and it works for me now.
> 
> Niru

Great, I'll close the bug for now but please reopen if it hits again.
Note You need to log in before you can comment on or make changes to this bug.