Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/2421 The dereference code currently fails completely when processing initgroups of an IPA user who is a member of some Role or linked to a Permission against a new (4.0) IPA server. This is because in 4.0, IPA switched to a different permission model that no longer allows the host principal to read the rbac and pbac containers. The current dereference code errors out when it can't read even the objectclass of an entry. This bug could be also triggered outside IPA, just by restricting the ACI on the linked entry.
master: 2284e50c801a53541016eb9a5af00d1250d36afb 0321da68a393943797ea8cb9eb5e9672431ff8f4 sssd-1-11: ffe42e0158df6e4b2aad91e9a0cd75aff05be8c4
Verified with sssd-1.12.4-46.el6.x86_64 On IPA Server(RHEL7.1), run: ipa permission-add test --attrs entryusn --right read --bindtype all --subtree "dc=testrelm,dc=test" On IPA Client(RHEL6.7): [domain/testrelm.test] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = testrelm.test id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = dhcp207-169.lab.eng.pnq.redhat.com chpass_provider = ipa ipa_server = _srv_, dhcp207-70.testrelm.test dns_discovery_domain = testrelm.test ldap_deref_threshold=1 # id testuser1 uid=1578200012(testuser1) gid=1578200012(testuser1) groups=1578200012(testuser1),1578200005(testgroup4),1578200009(testgroup8),1578200004(testgroup3),1578200008(testgroup7),1578200003(testgroup2),1578200007(testgroup6),1578200001(testgroup1),1578200006(testgroup5),1578200010(testgroup9),1578200011(testgroup10)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1448.html