Bug 1255442 - getgrgid for user's UID on a trust client prevents getpw*
getgrgid for user's UID on a trust client prevents getpw*
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.0
Unspecified Unspecified
urgent Severity urgent
: rc
: ---
Assigned To: SSSD Maintainers
Kaushik Banerjee
: ZStream
Depends On: 1244949
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-20 11:06 EDT by Libor Miksik
Modified: 2015-12-01 10:10 EST (History)
13 users (show)

See Also:
Fixed In Version: sssd-1.12.2-58.el7_1.17
Doc Type: Bug Fix
Doc Text:
If a getgrgid() call for ID representing a user arrived before getpwnam() or getpwuid() call for the user's ID in an environment with IPA-AD trusts, the getpw* function terminated with an error, preventing the user from using IPA-AD trusts, which was manifested in the SSSD logs with an EEXIST error. A patch has been applied to fix this bug, and the getpw* functions now work correctly in these circumstances.
Story Points: ---
Clone Of: 1244949
Environment:
Last Closed: 2015-09-15 08:57:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Logs (2.53 KB, text/plain)
2015-09-03 02:50 EDT, Sudhir Menon
no flags Details
NSS and Domain Logs (36.34 KB, text/plain)
2015-09-03 02:55 EDT, Sudhir Menon
no flags Details

  None (edit)
Description Libor Miksik 2015-08-20 11:06:15 EDT
This bug has been copied from bug #1244949 and has been proposed
to be backported to 7.1 z-stream (EUS).
Comment 5 Sudhir Menon 2015-09-03 02:50:40 EDT
Created attachment 1069628 [details]
Logs

NSS and Domain Logs
Comment 7 Sudhir Menon 2015-09-03 02:55:02 EDT
Created attachment 1069631 [details]
NSS and Domain Logs
Comment 8 Jakub Hrozek 2015-09-03 03:30:55 EDT
I wouldn't expect these messages:
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [ldb] (0x4000): Destroying timer event 0x7f6c1b942b90 "ltdb_timeout"
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [ldb] (0x4000): Ending timer event 0x7f6c1b95ca40 "ltdb_callback"
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [sysdb_search_user_by_uid] (0x0400): No such entry
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory)
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [ldb] (0x4000): cancel ldb transaction (nesting: 1)
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [sysdb_store_user] (0x0400): Error: 17 (File exists)
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [ipa_s2n_save_objects] (0x0040): sysdb_store_user failed.
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [ldb] (0x4000): cancel ldb transaction (nesting: 0)
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [ipa_s2n_get_user_done] (0x0040): ipa_s2n_save_objects failed.
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [sdap_id_op_done] (0x4000): releasing operation connection
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: 17
(Thu Sep  3 12:21:26 2015) [sssd[be[labs.test]]] [sdap_id_op_destroy] (0x4000): releasing operation connection

With a fixed client. Is this with new or old packages?
Comment 9 Sudhir Menon 2015-09-03 03:33:36 EDT
Seeing this with sssd-1.12.2-58.el7_1.16.x86_64
Comment 10 Sudhir Menon 2015-09-03 03:58:44 EDT
Blank output on IPA-Client.
[smenon@client71 ~]$ getent passwd 1375001118
[smenon@client71 ~]$
Comment 11 Jakub Hrozek 2015-09-03 04:34:12 EDT
(In reply to Sudhir Menon from comment #9)
> Seeing this with sssd-1.12.2-58.el7_1.16.x86_64

Wow, I just noticed the patch was not applied correctly. Thank you very much for precise testing, I'm building a new package.
Comment 16 Sudhir Menon 2015-09-03 08:13:13 EDT
Marking the bug as VERIFIED since the output matches the requirements as mentioned in comment #1 of bug #1244949

Observations:-

IPA-SERVER:-
[smenon@rhel71 ~]$ getent passwd monuser1@test.in
    monuser1@test.in:*:1375001115:1375001115:monuser1:/home/test.in/monuser1:
    
IPA-CLIENT:- 
[smenon@client71 ~]$ getent group 1375001115
    monuser1@test.in:*:1375001115:

[smenon@client71 ~]$ sudo ldbsearch -H /var/lib/sss/db/cache_labs.test.ldb "(&(objectclass=group)(name=monuser1@test.in))"
    asq: Unable to register control with rootdse!
    # record 1
    dn: name=monuser1@test.in,cn=groups,cn=test.in,cn=sysdb
    createTimestamp: 1441282126
    gidNumber: 1375001115
    name: monuser1@test.in
    objectClass: group
    objectSIDString: S-1-5-21-742749997-2996825573-4184801258-1115
    userPrincipalName: monuser1@TEST.IN
    adAccountExpires: 9223372036854775807
    adUserAccountControl: 66048
    originalDN: CN=monuser1,CN=Users,DC=test,DC=in
    nameAlias: monuser1@test.in
    isPosix: TRUE
    lastUpdate: 1441282126
    dataExpireTimestamp: 1441318126
    overrideDN: name=monuser1@test.in,cn=groups,cn=test.in,cn=sysdb
    distinguishedName: name=monuser1@test.in,cn=groups,cn=test.in,cn=sysdb
     
    # returned 1 records
    # 1 entries
    # 0 referrals

[smenon@client71 ~]$ getent passwd 1375001115
    monuser1@test.in:*:1375001115:1375001115:monuser1:/home/test.in/monuser1:

[smenon@client71 ~]$ sudo ldbsearch -H /var/lib/sss/db/cache_labs.test.ldb "(&(objectclass=group)(name=monuser1@test.in))"
    asq: Unable to register control with rootdse!
    # returned 0 records
    # 0 entries
    # 0 referrals

IPA-SERVER:-
sssd-ldap-1.12.2-58.el7_1.17.x86_64
sssd-ipa-1.12.2-58.el7_1.17.x86_64
sssd-1.12.2-58.el7_1.17.x86_64
sssd-krb5-common-1.12.2-58.el7_1.17.x86_64
sssd-ad-1.12.2-58.el7_1.17.x86_64
python-sssdconfig-1.12.2-58.el7_1.17.noarch
sssd-common-1.12.2-58.el7_1.17.x86_64
sssd-proxy-1.12.2-58.el7_1.17.x86_64
sssd-common-pac-1.12.2-58.el7_1.17.x86_64
sssd-client-1.12.2-58.el7_1.17.x86_64
sssd-krb5-1.12.2-58.el7_1.17.x86_64
[smenon@rhel71 ~]$ sudo rpm -qa | grep ipa
ipa-server-trust-ad-4.1.0-18.el7_1.4.x86_64
ipa-server-4.1.0-18.el7_1.4.x86_64
sssd-ipa-1.12.2-58.el7_1.17.x86_64

IPA-CLIENT:-
[smenon@client71 ~]$ sudo rpm -qa | grep sssd
sssd-ipa-1.12.2-58.el7_1.17.x86_64
sssd-krb5-common-1.12.2-58.el7_1.17.x86_64
python-sssdconfig-1.12.2-58.el7_1.17.noarch
sssd-common-1.12.2-58.el7_1.17.x86_64
sssd-proxy-1.12.2-58.el7_1.17.x86_64
sssd-common-pac-1.12.2-58.el7_1.17.x86_64
sssd-ldap-1.12.2-58.el7_1.17.x86_64
sssd-1.12.2-58.el7_1.17.x86_64
sssd-client-1.12.2-58.el7_1.17.x86_64
sssd-krb5-1.12.2-58.el7_1.17.x86_64
sssd-ad-1.12.2-58.el7_1.17.x86_64
Comment 18 errata-xmlrpc 2015-09-15 08:57:37 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1785.html

Note You need to log in before you can comment on or make changes to this bug.