Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
The UPN negative cache does not use values from 'filter_users' config option and as a result a backend lookup for trigger also for those users.
Version-Release number of selected component (if applicable):
sssd-1.16.4-21.el7.x86_64
How reproducible:
Always
Steps to Reproduce:
- Setup trust
- Change domain resolution order to prefer the AD domain
- Added aduser in sssd.conf in filter_users
- ipactl stop
- rm -f sssd logs and cache
- sssd start
- ipactl start
- sssctl domain-list should not show the AD domain
- keep calling sssctl domain-list until you do see the AD domain
- then run id user
- check that there are no calls to [cache_req_search_dp] for user in sssd_nss.log
Actual results:
LDAP lookups for 'user'
Expected results:
No LDAP lookups root 'user'
Additional info:
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1685472#c10
Performed Steps As per :
https://bugzilla.redhat.com/show_bug.cgi?id=1685472#c9
[root@ipaqavmb ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.8 Beta (Maipo)
[root@ipaqavmb ~]# rpm -qa sssd
sssd-1.16.4-32.el7.x86_64
[root@ipaqavmb ~]# ipa config-show | grep resolution
Domain resolution order: ipaad2k16cin.test:gss78.test
[root@ipaqavmb ~]# grep -B 3 "filter_users" /etc/sssd/sssd.conf
[nss]
memcache_timeout = 600
homedir_substring = /home
filter_users = aduser1
[root@ipaqavmb ~]# ipactl stop
Stopping ipa-dnskeysyncd Service
Stopping ipa-otpd Service
Stopping winbind Service
Stopping smb Service
Stopping pki-tomcatd Service
Stopping ntpd Service
Stopping ipa-custodia Service
Stopping httpd Service
Stopping named Service
Stopping kadmin Service
Stopping krb5kdc Service
Stopping Directory Service
ipa: INFO: The ipactl command was successful
[root@ipaqavmb ~]# service sssd stop; rm -rf /var/lib/sss/{db,mc}/*; service sssd start
Redirecting to /bin/systemctl stop sssd.service
Redirecting to /bin/systemctl start sssd.service
[root@ipaqavmb ~]# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Starting smb Service
Starting winbind Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@ipaqavmb ~]# sssctl domain-list | grep ipaad2k16cin.test
ipaad2k16cin.test
ipasubad2k16cin.ipaad2k16cin.test
[root@ipaqavmb ~]# id aduser1 ; date
id: aduser1: no such user
Wed Oct 9 05:20:39 EDT 2019
[root@ipaqavmb ~]# grep -F "Looking up [aduser1] in data provider" /var/log/sssd/sssd_nss.log
[root@ipaqavmb ~]# echo $?
1
In latest version there is no call log for known doamins like "Looking up [aduser] in data provider" messages in sssd_nss.log
Based on This moving bz to verified.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2020:1053