Bug 1221358
| Summary: | SSSD doesn't work with ID mapping and disabled subdomains | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jakub Hrozek <jhrozek> |
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.6 | CC: | drieden, grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mzidek, pbrezina, preichl, sgoveas, tlavigne |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.12.4-42.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Setups with "subdomains_provider=none" set for AD domains did not sometimes work as expected. Now, the ldap_idmap_default_domain_sid option value is used for the SSSD main domain, thus fixing the bug. Note that ldap_idmap_default_domain_sid must be set for SSSD to function correctly in this situation.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-07-22 06:46:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jakub Hrozek
2015-05-13 20:24:37 UTC
Upstream ticket: https://fedorahosted.org/sssd/ticket/2635 * master: 21687d1d553579e81aa43bfa20f2e70fb39e8461 * sssd-1-12: 2bf32678c96304d04e69813fd6d317d981ad2c41 Steps to reproduce: - Enroll SSSD to a member domain of an AD forest - Use the AD provider - set subdomains_provider=none * master: 21687d1d553579e81aa43bfa20f2e70fb39e8461 * sssd-1-12: 2bf32678c96304d04e69813fd6d317d981ad2c41 Tested with sssd-1.12.4-43.el6.x86_64 User lookups fail on connecting to the child domain with the following config: [domain/child1.sssdad.com] debug_level = 0xFFF0 id_provider = ad ad_domain = child1.sssdad.com cache_credentials = True krb5_store_password_if_offline = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u subdomains_provider=none Domain log shows: (Tue Jun 2 22:21:27 2015) [sssd[be[child1.sssdad.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=user1_dom3-970205] (Tue Jun 2 22:21:27 2015) [sssd[be[child1.sssdad.com]]] [be_req_set_domain] (0x0400): Changing request domain from [child1.sssdad.com] to [child1.sssdad.com] (Tue Jun 2 22:21:27 2015) [sssd[be[child1.sssdad.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Tue Jun 2 22:21:27 2015) [sssd[be[child1.sssdad.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] Workaround: Since the autodiscovery fails, add the domain sid manually i.e. "ldap_idmap_default_domain_sid = S-1-5-21-3406858696-2348136156-2230084869" (In reply to Kaushik Banerjee from comment #8) > Workaround: > Since the autodiscovery fails, add the domain sid manually i.e. > "ldap_idmap_default_domain_sid = S-1-5-21-3406858696-2348136156-2230084869" Lukas would know this better, but I think it's expected with disabled subdomains provider. However, it /is/ something we should document. The title of this BZ is not the proper. The fix allows to use workaround with ldap_idmap_default_domain_sid previously it was not possible to use this workaround. I fixed the doc text, can we move back to ON_QA ? I used an unpatched build sssd-1.12.4-40.el6.x86_64 and see that the workaround of manually defining ldap_idmap_default_domain_sid works in it. Was this supposed to be broken in sssd-1.12.4-40 ? (In reply to Kaushik Banerjee from comment #12) > I used an unpatched build sssd-1.12.4-40.el6.x86_64 and see that the > workaround of manually defining ldap_idmap_default_domain_sid works in it. > > Was this supposed to be broken in sssd-1.12.4-40 ? ID mapping worked in case when user had posix attributes, but it did not worked for users *without* posix attributes. IIRC the reproducer should be: * create user without posix attributes. * disable subdomains * configure ldap_idmap_default_domain_sid * get ID info about user WITHOUT posix atributes. I see that non-posix groups were not returned earlier. Here is my test result. On sssd-1.12.4-40 # id user1_dom3-970205.com uid=201898(user1_dom3-970205.com) gid=200513(domain users.com) groups=200513(domain users.com) On sssd-1.12.4-43 # id user1_dom3-970205.com uid=201898(user1_dom3-970205.com) gid=200513(domain users.com) groups=200513(domain users.com),201901(group1_dom3-970205.com) In the above test, user1_dom3-970205 and group1_dom3-970205 do not have posix attributes. The sssd.conf has: [domain/child1.sssdad.com] debug_level = 0xFFF0 id_provider = ad ad_domain = child1.sssdad.com cache_credentials = True krb5_store_password_if_offline = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u subdomains_provider=none ldap_idmap_default_domain_sid = S-1-5-21-3406858696-2348136156-2230084869 Please turn this bug to ON_QA if the above test results are as expected. Verified in sssd-1.12.4-43 as per comment #14 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1448.html |