Bug 1127265 - Problems with tokengroups and ldap_group_search_base
Summary: Problems with tokengroups and ldap_group_search_base
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 1127266
TreeView+ depends on / blocked
 
Reported: 2014-08-06 13:40 UTC by Jakub Hrozek
Modified: 2018-12-09 18:17 UTC (History)
11 users (show)

Fixed In Version: sssd-1.11.6-19.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1127266 (view as bug list)
Environment:
Last Closed: 2014-10-14 04:49:18 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1375 normal SHIPPED_LIVE sssd bug fix and enhancement update 2014-10-14 01:06:25 UTC

Description Jakub Hrozek 2014-08-06 13:40:35 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2389

When I enable ldap_group_search_base to restrict to a subset of all groups with tokengroups enabled, it breaks spectacularly.  Disable tokengroups, and it works or disable ldap_group_search_base and it works.

{{{
# service sssd stop;rm -f /var/lib/sss/{db,mc}/* /var/log/sssd/*;sleep 3;service sssd start;sleep 3;id user;id user;service sssd stop
Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
uid=12345(user) gid=513(Domain Users) groups=513(Domain Users)
id: user: no such user
}}}

Log includes:

{{{
[sdap_get_initgr_done] (0x4000): Initgroups done
[sdap_get_initgr_done] (0x4000): Error in initgroups: [2][No such file or directory]
}}}

Tested on git/master dfef1d050c35398c6061256a947b4cc9c1f4b8e6

Comment 1 Jakub Hrozek 2014-08-06 13:42:07 UTC
This is a user-visible regression.

Comment 3 Jakub Hrozek 2014-08-11 14:19:03 UTC
Pushed upstream:
    master: 983983dd1629ab33eab340a40d9ee83965a339c6
    sssd-1-11: 6e6c099b02014d6e2ed97a057c6c521db9c30139

Comment 5 Jeremy Agee 2014-09-17 00:05:51 UTC
tested with sssd-1.11.6-1.el6

subtreeuser@sssdad.com user created in CN=Users,DC=sssdad,DC=com tree
and subtreegroup@sssdad.com created in OU=subtree,DC=sssdad,DC=com tree
posix attributes added for user and group
subtreegroup added as subtreeuser's primary group

With the group search set to a subtree the initgroups error was observed.
id_provider = ldap
ldap_schema = ad
ldap_group_search_base = OU=subtree,DC=sssdad,DC=com

(Tue Sep 16 19:07:27 2014) [sssd[be[sssdad.com]]] [sdap_get_initgr_done] (0x4000): Initgroups done
(Tue Sep 16 19:07:27 2014) [sssd[be[sssdad.com]]] [sdap_get_initgr_done] (0x4000): Error in initgroups: [22][Invalid argument]

Disabled tokengroups and error is not observed in sssd-1.11.6-1.el6.
ldap_use_tokengroups = False

(Tue Sep 16 19:51:44 2014) [sssd[be[sssdad.com]]] [sdap_get_initgr_done] (0x4000): Initgroups done

sssd-1.11.6-30.el6 tested with default setting of ldap_use_tokengroups = True and no initgroups error observed.

(Tue Sep 16 19:58:26 2014) [sssd[be[sssdad.com]]] [sdap_get_initgr_done] (0x4000): Initgroups done

Will also add automation info shortly.

Comment 6 Jeremy Agee 2014-10-01 13:54:51 UTC
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bug_automation_007: BZ 1127265 Problems with tokengroups and ldap_group_search_base
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'id subtreeuser1@sssdad.com' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/sssd_sssdad.com.log' should not contain 'No ID ctx available for \[sssdad.com\]' 
:: [   LOG    ] :: Duration: 3s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: bug_automation_007: BZ 1127265 Problems with tokengroups and ldap_group_search_base

Comment 7 errata-xmlrpc 2014-10-14 04:49:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html


Note You need to log in before you can comment on or make changes to this bug.