Bug 1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not
Implement heuristics to detect if POSIX attributes have been replicated to th...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-21 09:16 EST by Dmitri Pal
Modified: 2014-06-18 00:04 EDT (History)
6 users (show)

See Also:
Fixed In Version: sssd-1.11.2-40.el7
Doc Type: Known Issue
Doc Text:
The System Security Services Daemon (SSSD) connects to Global Catalog (GC) for all user and group lookups. POSIX attributes such as UID or GID are not replicated to Global Catalog by default. The SSSD is able to fall back to lightweight directory access protocol (LDAP) lookups from GC, but this fallback is performed only after a lookup. As a consequence, two attempts are needed to look up users with POSIX attributes in the Active Directory in environments where POSIX attributes are not replicated to Global Catalog.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 07:58:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dmitri Pal 2013-11-21 09:16:24 EST
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2152

{{{
20:19 < simo> jhrozek: right after we search rootdse make a search for (uidNumber=*) under cn=users
20:19 < simo> if anything is returned we know it is ok to stay with gc
20:19 < simo> otherwise we disconnect, and switch to normal LDAP
20:19 < simo> we can use a control to limit how many entries are returned too
20:20 < simo> using the paged search and telling AD to return 5 entries pages or so
20:20 < simo> so we do not have to process a ton of data just for  probing
}}}
Comment 1 Jakub Hrozek 2014-01-08 08:54:23 EST
This bug was triaged, planned and is being worked on. Moving to ASSIGNED.
Comment 2 Jakub Hrozek 2014-02-12 09:58:26 EST
Pushed upstream:
    master: 86c2e80de2243c3bd7691657086f1a182e7fc45c
    sssd-1-11: e81deec535d11912b87954c81a1edd768c1386c9
Comment 4 Jeremy Agee 2014-03-12 08:16:39 EDT
Automation task passed.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_07: bz 1033081 detect if posix attributes have been replicated to the global catalog
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'id posixuser1_dom1@sssdad.com' (Expected 0, got 0)
:: [   PASS   ] :: Running 'getent -s sss passwd posixuser1_dom1@sssdad.com' (Expected 0, got 0)
:: [   PASS   ] :: checking getent data for posixuser1_dom1@sssdad.com (Assert: posixuser1_dom1@sssdad.com:*:100001:100001:posixuser1_dom1:/home2/sssdad.com/posixuser1_dom1:/bin/ksh should equal posixuser1_dom1@sssdad.com:*:100001:100001:posixuser1_dom1:/home2/sssdad.com/posixuser1_dom1:/bin/ksh)
:: [   PASS   ] :: Running 'id posixuser1_dom2@sssdad_tree.com' (Expected 0, got 0)
:: [   PASS   ] :: Running 'getent -s sss passwd posixuser1_dom2@sssdad_tree.com' (Expected 0, got 0)
:: [   PASS   ] :: checking getent data for posixuser1_dom2@sssdad_tree.com (Assert: posixuser1_dom2@sssdad_tree.com:*:100002:100002:posixuser1_dom2:/home2/sssdad_tree.com/posixuser1_dom2:/bin/ksh should equal posixuser1_dom2@sssdad_tree.com:*:100002:100002:posixuser1_dom2:/home2/sssdad_tree.com/posixuser1_dom2:/bin/ksh)
:: [   PASS   ] :: Running 'id posixuser1_dom3@child1.sssdad.com' (Expected 0, got 0)
:: [   PASS   ] :: Running 'getent -s sss passwd posixuser1_dom3@child1.sssdad.com' (Expected 0, got 0)
:: [   PASS   ] :: checking getent data for posixuser1_dom3@child1.sssdad.com (Assert: posixuser1_dom3@child1.sssdad.com:*:100003:100003:posixuser1_dom3:/home2/child1.sssdad.com/posixuser1_dom3:/bin/ksh should equal posixuser1_dom3@child1.sssdad.com:*:100003:100003:posixuser1_dom3:/home2/child1.sssdad.com/posixuser1_dom3:/bin/ksh)
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad.com.log' should contain 'New LDAP connection to \[ldap://[[:alnum:]._-]*:3268/??base\]' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad.com.log' should contain 'ldap_search_ext with \[(|(uidNumber=\*)(gidNumber=\*))\]' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad.com.log' should contain 'POSIX attributes were requested but are not present on the server side' 
:: [   LOG    ] :: Duration: 43s
:: [   LOG    ] :: Assertions: 12 good, 0 bad
:: [   PASS   ] :: RESULT: ad_forest_07: bz 1033081 detect if posix attributes have been replicated to the global catalog
Comment 5 Ludek Smid 2014-06-13 07:58:48 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.