Red Hat Bugzilla – Bug 1127265
Problems with tokengroups and ldap_group_search_base
Last modified: 2014-10-31 13:32:45 EDT
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/2389 When I enable ldap_group_search_base to restrict to a subset of all groups with tokengroups enabled, it breaks spectacularly. Disable tokengroups, and it works or disable ldap_group_search_base and it works. {{{ # service sssd stop;rm -f /var/lib/sss/{db,mc}/* /var/log/sssd/*;sleep 3;service sssd start;sleep 3;id user;id user;service sssd stop Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service uid=12345(user) gid=513(Domain Users) groups=513(Domain Users) id: user: no such user }}} Log includes: {{{ [sdap_get_initgr_done] (0x4000): Initgroups done [sdap_get_initgr_done] (0x4000): Error in initgroups: [2][No such file or directory] }}} Tested on git/master dfef1d050c35398c6061256a947b4cc9c1f4b8e6
This is a user-visible regression.
Pushed upstream: master: 983983dd1629ab33eab340a40d9ee83965a339c6 sssd-1-11: 6e6c099b02014d6e2ed97a057c6c521db9c30139
tested with sssd-1.11.6-1.el6 subtreeuser@sssdad.com user created in CN=Users,DC=sssdad,DC=com tree and subtreegroup@sssdad.com created in OU=subtree,DC=sssdad,DC=com tree posix attributes added for user and group subtreegroup added as subtreeuser's primary group With the group search set to a subtree the initgroups error was observed. id_provider = ldap ldap_schema = ad ldap_group_search_base = OU=subtree,DC=sssdad,DC=com (Tue Sep 16 19:07:27 2014) [sssd[be[sssdad.com]]] [sdap_get_initgr_done] (0x4000): Initgroups done (Tue Sep 16 19:07:27 2014) [sssd[be[sssdad.com]]] [sdap_get_initgr_done] (0x4000): Error in initgroups: [22][Invalid argument] Disabled tokengroups and error is not observed in sssd-1.11.6-1.el6. ldap_use_tokengroups = False (Tue Sep 16 19:51:44 2014) [sssd[be[sssdad.com]]] [sdap_get_initgr_done] (0x4000): Initgroups done sssd-1.11.6-30.el6 tested with default setting of ldap_use_tokengroups = True and no initgroups error observed. (Tue Sep 16 19:58:26 2014) [sssd[be[sssdad.com]]] [sdap_get_initgr_done] (0x4000): Initgroups done Will also add automation info shortly.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: bug_automation_007: BZ 1127265 Problems with tokengroups and ldap_group_search_base :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Command 'id subtreeuser1@sssdad.com' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/sssd/sssd_sssdad.com.log' should not contain 'No ID ctx available for \[sssdad.com\]' :: [ LOG ] :: Duration: 3s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: bug_automation_007: BZ 1127265 Problems with tokengroups and ldap_group_search_base
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1375.html