Bug 1631826 - Create a warning that SSSD needs restart after idrange-mod
Summary: Create a warning that SSSD needs restart after idrange-mod
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.5
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
Tomas Capek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-09-21 16:04 UTC by Dave
Modified: 2019-08-06 13:09 UTC (History)
11 users (show)

Fixed In Version: ipa-4.6.5-2.el7
Doc Type: Known Issue
Doc Text:
.Inconsistent warning message when applying an ID range change In RHEL Identity Management (IdM), you can define multiple identity ranges (ID ranges) associated with a local IdM domain or a trusted Active Directory domain. The information about ID ranges is retrieved by the SSSD daemon on all enrolled systems. A change to ID range properties requires restart of SSSD. Previously, there was no warning about the need to restart SSSD. RHEL 7.7 adds a warning that is displayed when ID range properties are modified in a way that requires restart of SSSD. The warning message currently uses inconsistent wording. The purpose of the warning message is to ask for a restart of SSSD on any IdM system that consumes the ID range. To learn more about ID ranges, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-unique_uid_and_gid_attributes
Clone Of:
Environment:
Last Closed: 2019-08-06 13:09:16 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2241 None None None 2019-08-06 13:09:37 UTC

Description Dave 2018-09-21 16:04:49 UTC
Description of problem:
IdM idrange-mod does not work, without additional manual intervention.
The customer is not asking that idrange-mod takes care of 100% of what is needed to make it function, but simply a notification that sssd needs a restart (command-line and UI), similar to how location-add gives a notification that named needs to be restarted (command-line and UI)

Version-Release number of selected component (if applicable):
kernel-3.10.0-862.11.6.el7.x86_64
ipa-server-4.5.4-10.el7_5.3.x86_64

How reproducible:
always

Steps to Reproduce:
1. install 7.5
2. install/configure ipa-server
3. setup AD trust with a domain with greater than 200000 objects (current user RID's are greater than IdM's default 200000)
4. use idrange-mod to increase the size to be greater than the highest user RID 

Actual results:
users with RID > 200000 still cannot login

Expected results:
notification that sssd needs restarting if idrange-mod is used

Additional info:

Comment 2 Alexander Bokovoy 2018-09-24 07:37:43 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7708

Comment 4 Florence Blanc-Renaud 2019-03-29 17:16:19 UTC
Fixed upstream:
master:
    5b337a5 Show a notification that sssd needs restarting after idrange-mod

Comment 5 Florence Blanc-Renaud 2019-03-29 20:29:25 UTC
Fixed upstream
ipa-4-7:
    ca42f2f Show a notification that sssd needs restarting after idrange-mod

ipa-4-6:
    9284341 Show a notification that sssd needs restarting after idrange-mod

Comment 8 Varun Mylaraiah 2019-06-26 11:18:55 UTC
Verified 
ipa-server-4.6.5-9.el7.x86_64

[root@bender ~]# ipa idrange-mod --rid-base=300000
Range name: IPAAD2016.TEST_id_range
ipa: WARNING: Service sssd.service requires restart on IPA server IPAAD2016.TEST_id_range to apply configuration changes.
-------------------------------------------
Modified ID range "IPAAD2016.TEST_id_range"
-------------------------------------------
  Range name: IPAAD2016.TEST_id_range
  First Posix ID of the range: 1577600000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 300000
  Domain SID of the trusted domain: S-1-5-21-813110839-3732285123-1597101681
  Range type: Active Directory domain range


Now we can observe ipa warning for sssd service restart.




Based on the above observation, marking the bug VERIFIED

Comment 9 Kaleem 2019-06-28 13:31:13 UTC
Alexander,

Who will add text for release notes.
I have asked Filip to provide + to require_doc_text flag.

Comment 10 Alexander Bokovoy 2019-06-28 14:10:12 UTC
I added a proposed release note. Filip, please correct it as you see fitting.

Comment 15 errata-xmlrpc 2019-08-06 13:09:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241


Note You need to log in before you can comment on or make changes to this bug.