RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1346735 - External group-membership fix is incompatible with SSSD's default_domain_suffix option.
Summary: External group-membership fix is incompatible with SSSD's default_domain_suff...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: slapi-nis
Version: 7.2
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Alexander Bokovoy
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks: 1350309
TreeView+ depends on / blocked
 
Reported: 2016-06-15 09:32 UTC by Sumit Bose
Modified: 2016-11-04 07:05 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1350309 (view as bug list)
Environment:
Last Closed: 2016-11-04 07:05:57 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2471 0 normal SHIPPED_LIVE slapi-nis bug fix and enhancement update 2016-11-03 14:07:19 UTC

Description Sumit Bose 2016-06-15 09:32:25 UTC 
Description of problem:

To resolve external group-membership of IPA groups slapi-nis calls SSSD to get the full list of group-members. Since this is done with the short group name (in the default setup IPA users and groups can be used with the short name) using SSSD's default_domain_suffix option will break this because new IPA groups must be used with the fully-qualified name.

Since the external members of the IPA groups are resolved during the initialization of slapi-nis this prevents slapi-nis from starting up completely and makes the IPA compat-tree inaccessible with the following messages in the error log of the director server.

[14/Jun/2016:21:56:55 +0200] - Listening on All Interfaces port 636 for LDAPS requests
[14/Jun/2016:21:56:55 +0200] - Listening on /var/run/slapd-DOM-058-063-ABC-COM.socket for LDAPI requests
[14/Jun/2016:21:56:59 +0200] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=dom-058-063,dc=abc,dc=com
[14/Jun/2016:21:56:59 +0200] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=dom-058-063,dc=abc,dc=com
[14/Jun/2016:21:57:00 +0200] schema-compat-plugin - group "ad_user" does not exist because SSSD is offline.
[14/Jun/2016:21:57:00 +0200] schema-compat-plugin - waiting for SSSD to become online...
[14/Jun/2016:21:57:35 +0200] schema-compat-plugin - group "ad_user" does not exist because SSSD is offline.
[14/Jun/2016:21:57:35 +0200] schema-compat-plugin - waiting for SSSD to become online...
[14/Jun/2016:21:58:10 +0200] schema-compat-plugin - group "ad_user" does not exist because SSSD is offline.
[14/Jun/2016:21:58:10 +0200] schema-compat-plugin - waiting for SSSD to become online...
Comment 4 Alexander Bokovoy 2016-06-24 14:14:21 UTC 
The fixes are upstream already.
Comment 6 Sumit Bose 2016-07-14 08:05:18 UTC 
The reproduce the issue create an IPA domain with trust a an AD domain and set 'default_domain_suffix = ad.domain' on the IPA server so the users and groups from the AD domain can be lookup up with the short name.

After restarting the IPA directory server the compat tree cn=compat,dc=ipa,dc=domain is not available anymore and there will be 'schema-compat-plugin - waiting for SSSD to become online... ' in the directory servers logs file.

With the patch the compat tree becomes available again and the repeated log message is gone (it might still show up once during startup).
Comment 7 Alexander Bokovoy 2016-09-05 14:22:46 UTC 
This bug was fixed in 7.3 as part of the bug 1292148 which was a rebase to newer version. Since 7.2 errata was shipped as bug 1350309, we can close this bug.
Comment 8 Alexander Bokovoy 2016-09-05 14:45:23 UTC 
Moving to MODIFIED based on the comment 7.
Comment 10 Sudhir Menon 2016-09-20 10:34:54 UTC 
Verified on RHEL73 using 

ipa-server-4.4.0-12.el7.x86_64
sssd-1.14.0-42.el7.x86_64
389-ds-base-1.3.5.10-11.el7.x86_64

[root@master samba]# ipa trust-find
---------------
1 trust matched
---------------
Realm name: pne.qe
Domain NetBIOS name: PNE
Domain Security Identifier: S-1-5-21-3912719521-1967590360-1136226524
Trust type: Active Directory domain
UPN suffixes: qa.org
---------------------------
Number of entries returned 1
     
     
[root@master samba]# grep default_domain_suffix /etc/sssd/sssd.conf
default_domain_suffix = pne.qe
     
service sssd stop; rm -frv /var/lib/sss/{db,mc}/* ; service sssd start

User from AD is resolved with short name     
[root@master samba]# id user1
uid=558001494(user1) gid=558001494(user1) groups=558001494(user1),558000513(domain users),558001493(group1)

Group on AD is listed     
[root@master samba]# getent group sales
sales:x:11000:

[root@master ~]# ipactl restart
 
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting smb Service
Restarting winbind Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
Starting pki-tomcatd Service
ipa: INFO: The ipactl command was successful
     
Directory server error logs
   
[20/Sep/2016:15:54:43.588551496 +051800] schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup!
[20/Sep/2016:15:54:44.287396578 +051800] schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds!
[20/Sep/2016:15:54:49.242886432 +051800] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=test-relm,dc=test
[20/Sep/2016:15:54:49.270217996 +051800] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=test-relm,dc=test
[20/Sep/2016:15:54:49.335281757 +051800] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=test-relm,dc=test
[20/Sep/2016:15:54:49.387085858 +051800] schema-compat-plugin - Finished plugin initialization.
Comment 12 errata-xmlrpc 2016-11-04 07:05:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2471.html
Note You need to log in before you can comment on or make changes to this bug.