1457926 – Wrong search base used when SSSD is directly connected to AD child domain

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1457926 - Wrong search base used when SSSD is directly connected to AD child domain

Summary: Wrong search base used when SSSD is directly connected to AD child domain

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Michal Zidek
QA Contact:	shridhar
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1428866
TreeView+	depends on / blocked

Reported:	2017-06-01 14:31 UTC by Michal Zidek
Modified:	2020-05-02 18:42 UTC (History)
CC List:	10 users (show)
Fixed In Version:	sssd-1.15.2-50.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 09:06:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 4448	0	None	None	None	2020-05-02 18:42:35 UTC
Red Hat Product Errata	RHEA-2017:2294	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2017-08-01 12:39:55 UTC

Description Michal Zidek 2017-06-01 14:31:17 UTC

Description of problem:
We have following domain hierarchy - forest root and 2 direct child domains:
ad.test - root
child.ad.test - child of root
child2.ad.test - child of root

SSSD is directly connected to child.ad.test (for example 'realm join CHILD.AD.TEST').

Users from child2.ad.test can not be resolved.

Version-Release number of selected component (if applicable):
RHEL 7.4: sssd-1.15.2.31 (or later 1.15.2.x)
Upstream: c4ddb9ccab670f9c0d0377680237b62f9f91c496 (and later)


How reproducible:
100%

Steps to Reproduce:
Create hierarchy as described above and do:
$ getent passwd administrator.test

Actual results:
User is not resolved.

Expected results:
User resolved.


Additional info:
The problem seem to be with SSSD using wrong search base (SSSD uses search base from child.ad.test domain instead of child2.ad.test).

Comment 2 Lukas Slebodnik 2017-06-01 14:47:11 UTC

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3421

Comment 3 shridhar 2017-06-02 13:17:07 UTC

On my test system, sometimes users from other child domain are resolved. This behavior is observed intermittently.

Comment 4 Jakub Hrozek 2017-06-05 05:55:15 UTC

(In reply to shridhar from comment #3)
> On my test system, sometimes users from other child domain are resolved.
> This behavior is observed intermittently.

Is it possible to enable logging and try to catch the issue with logs? Please note it would be best to know the timestamp of when the problem occurs..

Comment 6 Jakub Hrozek 2017-06-21 10:11:02 UTC

* master:
 * 630aea13063c4b242b3433d16ca4346a1a38429b
 * b1d34059533eb50f6e5a4ac7b6fa1bb6fa60a445

Comment 8 shridhar 2017-06-23 11:00:18 UTC

[root@shr7-permanent ~]# rpm -q sssd
sssd-1.15.2-50.el7.x86_64
[root@shr7-permanent ~]# cat /etc/sssd/sssd.conf 

[sssd]
domains = childb.sssd16.qe
config_file_version = 2
services = nss, pam

[domain/childb.sssd16.qe]
ad_domain = childb.sssd16.qe
krb5_realm = CHILDB.SSSD16.QE
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
#ad_enabled_domains = first.sssd16.qe, sssd16.qe, childb.sssd16.qe
ad_enabled_domains = first.sssd16.qe, childb.sssd16.qe
debug_level = 9

[root@shr7-permanent ~]# service sssd stop ; rm -rf /var/lib/sss/db/* ; rm -rf /var/log/sssd/* ; date ; service sssd start 
Redirecting to /bin/systemctl stop sssd.service
Fri Jun 23 06:20:03 EDT 2017
Redirecting to /bin/systemctl start sssd.service

[root@shr7-permanent ~]# id administrator.qe
uid=1170600500(administrator.qe) gid=1170600513(domain users.qe) groups=1170600513(domain users.qe),1170600520(group policy creator owners.qe),1170600512(domain admins.qe),1170600572(denied rodc password replication group.qe)

[root@shr7-permanent ~]# id administrator.qe
uid=130200500(administrator.qe) gid=130200500(administrator.qe) groups=130200500(administrator.qe),130200513


from /var/log/sssd/sssd_childb.sssd16.qe

Fri Jun 23 06:27:19 2017) [sssd[be[childb.sssd16.qe]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=first,dc=sssd16,dc=qe]
(Fri Jun 23 06:27:19 2017) [sssd[be[childb.sssd16.qe]]] [sdap_print_server] (0x2000): Searching 192.168.64.122:3268
(Fri Jun 23 06:27:19 2017) [sssd[be[childb.sssd16.qe]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=administrator)(objectclass=user)(sAMAccountName=*)(objectSID=*))][dc=first,dc=sssd16,dc=qe].


In addition to above results, following behavior was also observed:

If users information from other child domain is requested first after fresh start of SSSD then secondary group resolution does not work for users from main child domain (the domain to which rhel system is joined directly) as well. 


scenario 1:  Fetching user from other child domain:
[root@shr7-permanent ~]# service sssd stop ; rm -rf /var/lib/sss/db/* ; rm -rf /var/log/sssd/* ; date ; service sssd start 
Redirecting to /bin/systemctl stop sssd.service
Fri Jun 23 06:55:51 EDT 2017
Redirecting to /bin/systemctl start sssd.service

[root@shr7-permanent ~]# id administrator.qe
uid=130200500(administrator.qe) gid=130200500(administrator.qe) groups=130200500(administrator.qe),130200513

[root@shr7-permanent ~]# id administrator.qe
uid=1170600500(administrator.qe) gid=1170600513 groups=1170600513


Scenario 2: Fetching users from main child (to which system is joined)

 root@shr7-permanent ~]# service sssd stop ; rm -rf /var/lib/sss/db/* ; rm -rf /var/log/sssd/* ; date ; service sssd start 
Redirecting to /bin/systemctl stop sssd.service
Fri Jun 23 06:56:11 EDT 2017
Redirecting to /bin/systemctl start sssd.service

[root@shr7-permanent ~]# id administrator.qe
uid=1170600500(administrator.qe) gid=1170600513(domain users.qe) groups=1170600513(domain users.qe),1170600520(group policy creator owners.qe),1170600512(domain admins.qe),1170600572(denied rodc password replication group.qe)

[root@shr7-permanent ~]# id administrator.qe
uid=130200500(administrator.qe) gid=130200500(administrator.qe) groups=130200500(administrator.qe),130200513
[root@shr7-permanent ~]#

Comment 9 errata-xmlrpc 2017-08-01 09:06:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294

Note You need to log in before you can comment on or make changes to this bug.