Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1120508 - tokengroups do not work with id_provider=ldap
tokengroups do not work with id_provider=ldap
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-17 01:52 EDT by Jakub Hrozek
Modified: 2014-10-14 00:49 EDT (History)
9 users (show)

See Also:
Fixed In Version: sssd-1.11.6-12.el6
Doc Type: Bug Fix
Doc Text:
No Documentation Needed
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-14 00:49:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1375 normal SHIPPED_LIVE sssd bug fix and enhancement update 2014-10-13 21:06:25 EDT

  None (edit)
Description Jakub Hrozek 2014-07-17 01:52:13 EDT 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2345

Currently with id_provider=ldap and ldap_schema=ad I'm seeing:
{{{
(Mon Jun  2 13:37:05 2014) [sssd[be[AD-LDAP]]] [sdap_ad_tokengroups_initgr_mapping_send] (0x0020): No ID ctx available for [AD-LDAP].
}}}

We need to solve this bug because:
1. This is a regression. There are existing users running this setup, we've received bugs from them in the past
2. There is a layering violation in the AD provider. The file `src/providers/ldap/sdap_async_initgroups_ad.c` includes `providers/ad/ad_common.h`. We should not include headers from either IPA or AD provider in the plain LDAP provider.

I would argue that the tokenGroups should have been included in the AD provider only and not the LDAP provider because it's too AD specific anyway, but I'm not sure if we can revert that now..
Comment 1 Jakub Hrozek 2014-07-17 01:55:23 EDT 
To test, simply configure the SSSD with:
id_provider = ldap
ldap_schema = ad

And run:
id user
Comment 4 Kaushik Banerjee 2014-07-17 10:41:49 EDT 
Will try to reproduce with the steps from comment #1
Comment 5 Jakub Hrozek 2014-07-21 06:09:01 EDT 
master:
    * 1614e1b25a98ff2f03648c4bf61d750fb688285a
    * b12e2500237f33c44807d7e5b377ec06007c7252 
sssd-1-11:
    * 5001bab712149a27ab37697d487b3f51082df26d
    * deb0cc874606db31f454531c03d381fe0de76bd6
Comment 7 Jeremy Agee 2014-09-16 16:55:43 EDT 
When testing with settings we see the No ID ctx available message on early builds but not in later ones.
id_provider = ldap
ldap_schema = ad

id tuser@sssdad.com

sssd-1.11.6-1.el6
(Tue Sep 16 16:13:16 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_initgr_posix_send] (0x0020): No ID ctx available for [sssdad.com].

sssd-1.11.6-30.el6
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-32-545]
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-32-545 will be downloaded
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-3643]
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-449164774-889306861-2878230833-3643 will be downloaded
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-513]
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-449164774-889306861-2878230833-513 will be downloaded
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-3642]
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-3644]
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-449164774-889306861-2878230833-3644 will be downloaded
(Tue Sep 16 16:16:53 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-32-545]
(Tue Sep 16 16:16:53 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-3643]
(Tue Sep 16 16:16:53 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-513]
(Tue Sep 16 16:16:53 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-3644]
(Tue Sep 16 16:16:53 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_update_members] (0x1000): Updating memberships for [tuser]
Comment 8 Jeremy Agee 2014-10-01 09:53:48 EDT 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bug_automation_006: BZ 1120508 tokengroups do not work with id_provider=ldap
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'id testuser02@sssdad.com' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad.com.log' should not contain 'No ID ctx available for \[sssdad.com\]' 
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: bug_automation_006: BZ 1120508 tokengroups do not work with id_provider=ldap
Comment 9 errata-xmlrpc 2014-10-14 00:49:07 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.