Bug 1459817 - sssd is not always able to resolve AD domain SID with "subdomain_provider = none"
sssd is not always able to resolve AD domain SID with "subdomain_provider = ...
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: SSSD Maintainers
sssd-qe
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-08 05:28 EDT by Thorsten Scherf
Modified: 2017-07-10 05:48 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-10 05:48:14 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Thorsten Scherf 2017-06-08 05:28:08 EDT
Description of problem:
SSSD with "id_provider = ad" and "subdomain_provider = none" is only able to resolve the AD domain SID when the cache is empty. Once ID mapping data has been written to the cache, SSSD fails to resolve the domain SID.

The issue is related to this upstream ticket:

ID mapping does not wotk with disabled subdomains
https://pagure.io/SSSD/sssd/issue/2635


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Customer case has been opened against RHEL-6.8 and sssd-1.13 but Sumit confirmed the issue also exists in master. Therefor I opened this bug against RHEL7.
Comment 2 Sumit Bose 2017-06-08 05:35:46 EDT
There is already commit 21687d1d553579e81aa43bfa20f2e70fb39e8461 but this only uses ldap_idmap_default_domain_sid for sss_domain_info if there are no ID-mapping data stored in the cache.
Comment 3 Lukas Slebodnik 2017-06-08 06:30:00 EDT
(In reply to Thorsten Scherf from comment #0)
> Description of problem:
> SSSD with "id_provider = ad" and "subdomain_provider = none"

I would ask different question. What is a use case for "id_provider = ad" and "subdomain_provider = none" ? Or what do you want to achieve.
Comment 4 Thorsten Scherf 2017-06-08 07:01:59 EDT
(In reply to Lukas Slebodnik from comment #3)
> (In reply to Thorsten Scherf from comment #0)
> > Description of problem:
> > SSSD with "id_provider = ad" and "subdomain_provider = none"
> 
> I would ask different question. What is a use case for "id_provider = ad"
> and "subdomain_provider = none" ? Or what do you want to achieve.

I *think* the reason why they set "subdomain_provider = none" is to limit the available AD user accounts to the domain the clients are joined to. On RHEL6 they don't have "ad_enabled_domains" available.
Comment 5 Thorsten Scherf 2017-06-08 07:35:30 EDT
(In reply to Thorsten Scherf from comment #4)
> (In reply to Lukas Slebodnik from comment #3)
> > (In reply to Thorsten Scherf from comment #0)
> > > Description of problem:
> > > SSSD with "id_provider = ad" and "subdomain_provider = none"
> > 
> > I would ask different question. What is a use case for "id_provider = ad"
> > and "subdomain_provider = none" ? Or what do you want to achieve.
> 
> I *think* the reason why they set "subdomain_provider = none" is to limit
> the available AD user accounts to the domain the clients are joined to. On
> RHEL6 they don't have "ad_enabled_domains" available.

Jakub just pointed me to BZ #1324428

[RFE] Discover forest's root SID even if subdomains_provider = none
https://bugzilla.redhat.com/show_bug.cgi?id=1324428

So we do have "ad_enabled_domains" available also on RHEL6 which might a good solution to mitigate the issue.
Comment 6 Jakub Hrozek 2017-07-10 05:48:14 EDT
Since the related customer case was closed and using ad_enabled_domains is the right thing to do anyway, I'm going to close this bug report.

Please reopen if ad_enabled_domains doesn't do the right thing for you.

Note You need to log in before you can comment on or make changes to this bug.