Bug 1120508 - tokengroups do not work with id_provider=ldap
Summary: tokengroups do not work with id_provider=ldap
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-17 05:52 UTC by Jakub Hrozek
Modified: 2014-10-14 04:49 UTC (History)
9 users (show)

Fixed In Version: sssd-1.11.6-12.el6
Doc Type: Bug Fix
Doc Text:
No Documentation Needed
Clone Of:
Environment:
Last Closed: 2014-10-14 04:49:07 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1375 normal SHIPPED_LIVE sssd bug fix and enhancement update 2014-10-14 01:06:25 UTC

Description Jakub Hrozek 2014-07-17 05:52:13 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2345

Currently with id_provider=ldap and ldap_schema=ad I'm seeing:
{{{
(Mon Jun  2 13:37:05 2014) [sssd[be[AD-LDAP]]] [sdap_ad_tokengroups_initgr_mapping_send] (0x0020): No ID ctx available for [AD-LDAP].
}}}

We need to solve this bug because:
1. This is a regression. There are existing users running this setup, we've received bugs from them in the past
2. There is a layering violation in the AD provider. The file `src/providers/ldap/sdap_async_initgroups_ad.c` includes `providers/ad/ad_common.h`. We should not include headers from either IPA or AD provider in the plain LDAP provider.

I would argue that the tokenGroups should have been included in the AD provider only and not the LDAP provider because it's too AD specific anyway, but I'm not sure if we can revert that now..

Comment 1 Jakub Hrozek 2014-07-17 05:55:23 UTC
To test, simply configure the SSSD with:
id_provider = ldap
ldap_schema = ad

And run:
id user

Comment 4 Kaushik Banerjee 2014-07-17 14:41:49 UTC
Will try to reproduce with the steps from comment #1

Comment 5 Jakub Hrozek 2014-07-21 10:09:01 UTC
master:
    * 1614e1b25a98ff2f03648c4bf61d750fb688285a
    * b12e2500237f33c44807d7e5b377ec06007c7252 
sssd-1-11:
    * 5001bab712149a27ab37697d487b3f51082df26d
    * deb0cc874606db31f454531c03d381fe0de76bd6

Comment 7 Jeremy Agee 2014-09-16 20:55:43 UTC
When testing with settings we see the No ID ctx available message on early builds but not in later ones.
id_provider = ldap
ldap_schema = ad

id tuser@sssdad.com

sssd-1.11.6-1.el6
(Tue Sep 16 16:13:16 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_initgr_posix_send] (0x0020): No ID ctx available for [sssdad.com].

sssd-1.11.6-30.el6
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-32-545]
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-32-545 will be downloaded
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-3643]
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-449164774-889306861-2878230833-3643 will be downloaded
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-513]
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-449164774-889306861-2878230833-513 will be downloaded
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-3642]
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-3644]
(Tue Sep 16 16:16:52 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x0400): Missing SID S-1-5-21-449164774-889306861-2878230833-3644 will be downloaded
(Tue Sep 16 16:16:53 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-32-545]
(Tue Sep 16 16:16:53 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-3643]
(Tue Sep 16 16:16:53 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-513]
(Tue Sep 16 16:16:53 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_get_posix_members] (0x1000): Processing membership SID [S-1-5-21-449164774-889306861-2878230833-3644]
(Tue Sep 16 16:16:53 2014) [sssd[be[sssdad.com]]] [sdap_ad_tokengroups_update_members] (0x1000): Updating memberships for [tuser]

Comment 8 Jeremy Agee 2014-10-01 13:53:48 UTC
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bug_automation_006: BZ 1120508 tokengroups do not work with id_provider=ldap
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'id testuser02@sssdad.com' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad.com.log' should not contain 'No ID ctx available for \[sssdad.com\]' 
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: bug_automation_006: BZ 1120508 tokengroups do not work with id_provider=ldap

Comment 9 errata-xmlrpc 2014-10-14 04:49:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html


Note You need to log in before you can comment on or make changes to this bug.