Bug 1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not
Summary: Implement heuristics to detect if POSIX attributes have been replicated to th...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-21 14:16 UTC by Dmitri Pal
Modified: 2014-06-18 04:04 UTC (History)
6 users (show)

Fixed In Version: sssd-1.11.2-40.el7
Doc Type: Known Issue
Doc Text:
The System Security Services Daemon (SSSD) connects to Global Catalog (GC) for all user and group lookups. POSIX attributes such as UID or GID are not replicated to Global Catalog by default. The SSSD is able to fall back to lightweight directory access protocol (LDAP) lookups from GC, but this fallback is performed only after a lookup. As a consequence, two attempts are needed to look up users with POSIX attributes in the Active Directory in environments where POSIX attributes are not replicated to Global Catalog.
Clone Of:
Environment:
Last Closed: 2014-06-13 11:58:48 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Dmitri Pal 2013-11-21 14:16:24 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2152

{{{
20:19 < simo> jhrozek: right after we search rootdse make a search for (uidNumber=*) under cn=users
20:19 < simo> if anything is returned we know it is ok to stay with gc
20:19 < simo> otherwise we disconnect, and switch to normal LDAP
20:19 < simo> we can use a control to limit how many entries are returned too
20:20 < simo> using the paged search and telling AD to return 5 entries pages or so
20:20 < simo> so we do not have to process a ton of data just for  probing
}}}

Comment 1 Jakub Hrozek 2014-01-08 13:54:23 UTC
This bug was triaged, planned and is being worked on. Moving to ASSIGNED.

Comment 2 Jakub Hrozek 2014-02-12 14:58:26 UTC
Pushed upstream:
    master: 86c2e80de2243c3bd7691657086f1a182e7fc45c
    sssd-1-11: e81deec535d11912b87954c81a1edd768c1386c9

Comment 4 Jeremy Agee 2014-03-12 12:16:39 UTC
Automation task passed.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_07: bz 1033081 detect if posix attributes have been replicated to the global catalog
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'id posixuser1_dom1@sssdad.com' (Expected 0, got 0)
:: [   PASS   ] :: Running 'getent -s sss passwd posixuser1_dom1@sssdad.com' (Expected 0, got 0)
:: [   PASS   ] :: checking getent data for posixuser1_dom1@sssdad.com (Assert: posixuser1_dom1@sssdad.com:*:100001:100001:posixuser1_dom1:/home2/sssdad.com/posixuser1_dom1:/bin/ksh should equal posixuser1_dom1@sssdad.com:*:100001:100001:posixuser1_dom1:/home2/sssdad.com/posixuser1_dom1:/bin/ksh)
:: [   PASS   ] :: Running 'id posixuser1_dom2@sssdad_tree.com' (Expected 0, got 0)
:: [   PASS   ] :: Running 'getent -s sss passwd posixuser1_dom2@sssdad_tree.com' (Expected 0, got 0)
:: [   PASS   ] :: checking getent data for posixuser1_dom2@sssdad_tree.com (Assert: posixuser1_dom2@sssdad_tree.com:*:100002:100002:posixuser1_dom2:/home2/sssdad_tree.com/posixuser1_dom2:/bin/ksh should equal posixuser1_dom2@sssdad_tree.com:*:100002:100002:posixuser1_dom2:/home2/sssdad_tree.com/posixuser1_dom2:/bin/ksh)
:: [   PASS   ] :: Running 'id posixuser1_dom3@child1.sssdad.com' (Expected 0, got 0)
:: [   PASS   ] :: Running 'getent -s sss passwd posixuser1_dom3@child1.sssdad.com' (Expected 0, got 0)
:: [   PASS   ] :: checking getent data for posixuser1_dom3@child1.sssdad.com (Assert: posixuser1_dom3@child1.sssdad.com:*:100003:100003:posixuser1_dom3:/home2/child1.sssdad.com/posixuser1_dom3:/bin/ksh should equal posixuser1_dom3@child1.sssdad.com:*:100003:100003:posixuser1_dom3:/home2/child1.sssdad.com/posixuser1_dom3:/bin/ksh)
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad.com.log' should contain 'New LDAP connection to \[ldap://[[:alnum:]._-]*:3268/??base\]' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad.com.log' should contain 'ldap_search_ext with \[(|(uidNumber=\*)(gidNumber=\*))\]' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad.com.log' should contain 'POSIX attributes were requested but are not present on the server side' 
:: [   LOG    ] :: Duration: 43s
:: [   LOG    ] :: Assertions: 12 good, 0 bad
:: [   PASS   ] :: RESULT: ad_forest_07: bz 1033081 detect if posix attributes have been replicated to the global catalog

Comment 5 Ludek Smid 2014-06-13 11:58:48 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.


Note You need to log in before you can comment on or make changes to this bug.