RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1631826 - Create a warning that SSSD needs restart after idrange-mod
Summary: Create a warning that SSSD needs restart after idrange-mod
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.5
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
Tomas Capek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-09-21 16:04 UTC by Dave
Modified: 2019-08-06 13:09 UTC (History)
11 users (show)

Fixed In Version: ipa-4.6.5-2.el7
Doc Type: Known Issue
Doc Text:
.Inconsistent warning message when applying an ID range change In RHEL Identity Management (IdM), you can define multiple identity ranges (ID ranges) associated with a local IdM domain or a trusted Active Directory domain. The information about ID ranges is retrieved by the SSSD daemon on all enrolled systems. A change to ID range properties requires restart of SSSD. Previously, there was no warning about the need to restart SSSD. RHEL 7.7 adds a warning that is displayed when ID range properties are modified in a way that requires restart of SSSD. The warning message currently uses inconsistent wording. The purpose of the warning message is to ask for a restart of SSSD on any IdM system that consumes the ID range. To learn more about ID ranges, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-unique_uid_and_gid_attributes
Clone Of:
Environment:
Last Closed: 2019-08-06 13:09:16 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2241 0 None None None 2019-08-06 13:09:37 UTC

Description Dave 2018-09-21 16:04:49 UTC 
Description of problem:
IdM idrange-mod does not work, without additional manual intervention.
The customer is not asking that idrange-mod takes care of 100% of what is needed to make it function, but simply a notification that sssd needs a restart (command-line and UI), similar to how location-add gives a notification that named needs to be restarted (command-line and UI)

Version-Release number of selected component (if applicable):
kernel-3.10.0-862.11.6.el7.x86_64
ipa-server-4.5.4-10.el7_5.3.x86_64

How reproducible:
always

Steps to Reproduce:
1. install 7.5
2. install/configure ipa-server
3. setup AD trust with a domain with greater than 200000 objects (current user RID's are greater than IdM's default 200000)
4. use idrange-mod to increase the size to be greater than the highest user RID 

Actual results:
users with RID > 200000 still cannot login

Expected results:
notification that sssd needs restarting if idrange-mod is used

Additional info:
Comment 2 Alexander Bokovoy 2018-09-24 07:37:43 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7708
Comment 4 Florence Blanc-Renaud 2019-03-29 17:16:19 UTC 
Fixed upstream:
master:
    5b337a5 Show a notification that sssd needs restarting after idrange-mod
Comment 5 Florence Blanc-Renaud 2019-03-29 20:29:25 UTC 
Fixed upstream
ipa-4-7:
    ca42f2f Show a notification that sssd needs restarting after idrange-mod

ipa-4-6:
    9284341 Show a notification that sssd needs restarting after idrange-mod
Comment 8 Varun Mylaraiah 2019-06-26 11:18:55 UTC 
Verified 
ipa-server-4.6.5-9.el7.x86_64

[root@bender ~]# ipa idrange-mod --rid-base=300000
Range name: IPAAD2016.TEST_id_range
ipa: WARNING: Service sssd.service requires restart on IPA server IPAAD2016.TEST_id_range to apply configuration changes.
-------------------------------------------
Modified ID range "IPAAD2016.TEST_id_range"
-------------------------------------------
  Range name: IPAAD2016.TEST_id_range
  First Posix ID of the range: 1577600000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 300000
  Domain SID of the trusted domain: S-1-5-21-813110839-3732285123-1597101681
  Range type: Active Directory domain range


Now we can observe ipa warning for sssd service restart.




Based on the above observation, marking the bug VERIFIED
Comment 9 Kaleem 2019-06-28 13:31:13 UTC 
Alexander,

Who will add text for release notes.
I have asked Filip to provide + to require_doc_text flag.
Comment 10 Alexander Bokovoy 2019-06-28 14:10:12 UTC 
I added a proposed release note. Filip, please correct it as you see fitting.
Comment 15 errata-xmlrpc 2019-08-06 13:09:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241
Note You need to log in before you can comment on or make changes to this bug.