Bug 1479983 - id root triggers an LDAP lookup
id root triggers an LDAP lookup
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: SSSD Maintainers
shridhar
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-09 16:53 EDT by Jakub Hrozek
Modified: 2017-08-18 05:01 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jakub Hrozek 2017-08-09 16:53:05 EDT
This bug is created as a clone of upstream ticket:
https://pagure.io/SSSD/sssd/issue/3460

This looks even like a regression to me, because with today's master, calling initgroups for root triggers an LDAP lookup:

```
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [nss_getby_name] (0x0400): Input name: root
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_set_plugin] (0x2000): CR #0: Setting "Initgroups by name" plugin
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_send] (0x0400): CR #0: New request 'Initgroups by name'
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_process_input] (0x0400): CR #0: Parsing input name [root]
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_set_name] (0x0400): CR #0: Setting name [root]
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #0: Performing a multi-domain search
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #0: Search will check the cache and check the data provider
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain ipa.test type POSIX is valid
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #0: Using domain [ipa.test]
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_prepare_domain_data] (0x0400): CR #0: Preparing input data for domain [ipa.test] rules
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_search_send] (0x0400): CR #0: Looking up root@ipa.test
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #0: Checking negative cache for [root@ipa.test]
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/ipa.test/root@ipa.test]
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #0: [root@ipa.test] does not exist (negative cache)
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain win.trust.test type POSIX is valid
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #0: Using domain [win.trust.test]
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_prepare_domain_data] (0x0400): CR #0: Preparing input data for domain [win.trust.test] rules
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_search_send] (0x0400): CR #0: Looking up root@win.trust.test
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #0: Checking negative cache for [root@win.trust.test]
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/win.trust.test/root@win.trust.test]
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #0: [root@win.trust.test] is not present in negative cache
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #0: Looking up [root@win.trust.test] in cache
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x886c30

(Thu Aug  3 10:14:12 2017) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x886cf0

(Thu Aug  3 10:14:12 2017) [sssd[nss]] [ldb] (0x4000): Running timer event 0x886c30 "ltdb_callback"

(Thu Aug  3 10:14:12 2017) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x886cf0 "ltdb_timeout"

(Thu Aug  3 10:14:12 2017) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x886c30 "ltdb_callback"

(Thu Aug  3 10:14:12 2017) [sssd[nss]] [sysdb_search_override_by_name] (0x0400): No user override found for name [root@win.trust.test].
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x884f50

(Thu Aug  3 10:14:12 2017) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x887dd0

(Thu Aug  3 10:14:12 2017) [sssd[nss]] [ldb] (0x4000): Running timer event 0x884f50 "ltdb_callback"

(Thu Aug  3 10:14:12 2017) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x887dd0 "ltdb_timeout"

(Thu Aug  3 10:14:12 2017) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x884f50 "ltdb_callback"

(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #0: Object [root@win.trust.test] was not found in cache
(Thu Aug  3 10:14:12 2017) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #0: Looking up [root@win.trust.test] in data provider
```

I even have explicit filter_users = root in the nss section, but it doesn't appear to work
Comment 2 Jakub Hrozek 2017-08-18 04:49:38 EDT
To test, please see the opening comment. The short version of that comment is, run "id root" in a setup that also includes subdomains (any subdomains, it doesn't have to be IPA-AD trust, it can also be AD-AD trust)

Before the patch, you should see the subdomain back end being queried for the root user. After the patch, the request should be shortcut in the NSS responder already and there should be no search towards the back end side.

Note You need to log in before you can comment on or make changes to this bug.