RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1033081 - Implement heuristics to detect if POSIX attributes have been replicated to the Global Catalog or not
Summary: Implement heuristics to detect if POSIX attributes have been replicated to th...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
Depends On:
TreeView+ depends on / blocked
Reported: 2013-11-21 14:16 UTC by Dmitri Pal
Modified: 2020-05-02 17:32 UTC (History)
6 users (show)

Fixed In Version: sssd-1.11.2-40.el7
Doc Type: Known Issue
Doc Text:
The System Security Services Daemon (SSSD) connects to Global Catalog (GC) for all user and group lookups. POSIX attributes such as UID or GID are not replicated to Global Catalog by default. The SSSD is able to fall back to lightweight directory access protocol (LDAP) lookups from GC, but this fallback is performed only after a lookup. As a consequence, two attempts are needed to look up users with POSIX attributes in the Active Directory in environments where POSIX attributes are not replicated to Global Catalog.
Clone Of:
Last Closed: 2014-06-13 11:58:48 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3194 0 None None None 2020-05-02 17:32:28 UTC

Description Dmitri Pal 2013-11-21 14:16:24 UTC
This bug is created as a clone of upstream ticket:

20:19 < simo> jhrozek: right after we search rootdse make a search for (uidNumber=*) under cn=users
20:19 < simo> if anything is returned we know it is ok to stay with gc
20:19 < simo> otherwise we disconnect, and switch to normal LDAP
20:19 < simo> we can use a control to limit how many entries are returned too
20:20 < simo> using the paged search and telling AD to return 5 entries pages or so
20:20 < simo> so we do not have to process a ton of data just for  probing

Comment 1 Jakub Hrozek 2014-01-08 13:54:23 UTC
This bug was triaged, planned and is being worked on. Moving to ASSIGNED.

Comment 2 Jakub Hrozek 2014-02-12 14:58:26 UTC
Pushed upstream:
    master: 86c2e80de2243c3bd7691657086f1a182e7fc45c
    sssd-1-11: e81deec535d11912b87954c81a1edd768c1386c9

Comment 4 Jeremy Agee 2014-03-12 12:16:39 UTC
Automation task passed.

:: [   LOG    ] :: ad_forest_07: bz 1033081 detect if posix attributes have been replicated to the global catalog

:: [   PASS   ] :: Running 'id posixuser1_dom1' (Expected 0, got 0)
:: [   PASS   ] :: Running 'getent -s sss passwd posixuser1_dom1' (Expected 0, got 0)
:: [   PASS   ] :: checking getent data for posixuser1_dom1 (Assert: posixuser1_dom1:*:100001:100001:posixuser1_dom1:/home2/sssdad.com/posixuser1_dom1:/bin/ksh should equal posixuser1_dom1:*:100001:100001:posixuser1_dom1:/home2/sssdad.com/posixuser1_dom1:/bin/ksh)
:: [   PASS   ] :: Running 'id posixuser1_dom2' (Expected 0, got 0)
:: [   PASS   ] :: Running 'getent -s sss passwd posixuser1_dom2' (Expected 0, got 0)
:: [   PASS   ] :: checking getent data for posixuser1_dom2 (Assert: posixuser1_dom2:*:100002:100002:posixuser1_dom2:/home2/sssdad_tree.com/posixuser1_dom2:/bin/ksh should equal posixuser1_dom2:*:100002:100002:posixuser1_dom2:/home2/sssdad_tree.com/posixuser1_dom2:/bin/ksh)
:: [   PASS   ] :: Running 'id posixuser1_dom3.com' (Expected 0, got 0)
:: [   PASS   ] :: Running 'getent -s sss passwd posixuser1_dom3.com' (Expected 0, got 0)
:: [   PASS   ] :: checking getent data for posixuser1_dom3.com (Assert: posixuser1_dom3.com:*:100003:100003:posixuser1_dom3:/home2/child1.sssdad.com/posixuser1_dom3:/bin/ksh should equal posixuser1_dom3.com:*:100003:100003:posixuser1_dom3:/home2/child1.sssdad.com/posixuser1_dom3:/bin/ksh)
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad.com.log' should contain 'New LDAP connection to \[ldap://[[:alnum:]._-]*:3268/??base\]' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad.com.log' should contain 'ldap_search_ext with \[(|(uidNumber=\*)(gidNumber=\*))\]' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad.com.log' should contain 'POSIX attributes were requested but are not present on the server side' 
:: [   LOG    ] :: Duration: 43s
:: [   LOG    ] :: Assertions: 12 good, 0 bad
:: [   PASS   ] :: RESULT: ad_forest_07: bz 1033081 detect if posix attributes have been replicated to the global catalog

Comment 5 Ludek Smid 2014-06-13 11:58:48 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.