Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem: getsubids <username> fails with 'Error fetching ranges' when /etc/nsswitch.conf doesn't have 'subid: sss' entry
Version-Release number of selected component (if applicable):
ipa-server-4.9.8-7.module+el8.6.0+14337+19b76db2.x86_64
shadow-utils-subid-4.6-16.el8.x86_64
How reproducible:
Always
Steps to Reproduce:
1. Install IPA server.
2. Generate subid for admin user.
[root@server ~]# ipa subid-generate --owner=admin
3. Generate subid for regular user.
[root@server ~]# ipa subid-generate --owner=test2
4. Now install shadow-utils-subid
Actual results:
[root@server ~]# ipa subid-find --owner=admin
------------------------
1 subordinate id matched
------------------------
Unique ID: ec02ba71-cbed-48a7-9f3e-55de36129d6e
Owner: admin
SubUID range start: 2147483648
SubUID range size: 65536
SubGID range start: 2147483648
SubGID range size: 65536
----------------------------
Number of entries returned 1
----------------------------
[root@server ~]# ipa subid-find --owner=test2
------------------------
1 subordinate id matched
------------------------
Unique ID: b9e83558-c066-45db-b428-0e01d9227145
Owner: test2
SubUID range start: 2147549184
SubUID range size: 65536
SubGID range start: 2147549184
SubGID range size: 65536
----------------------------
Number of entries returned 1
----------------------------
[root@server ~]# getsubids admin
Error fetching ranges
[root@server ~]# getsubids test2
Error fetching ranges
Expected results:
Should display range as per the man page.
For example, to obtain the subordinate UIDs of the testuser:
$ getsubids testuser
0: testuser 100000 65536
This command output provides (in order from left to right) the list index, username, UID range start, and number of UIDs in range.
Additional info:
1. Logging this as a bug to check if we can include 'subid: sss' in the nsswitch.conf file automatically during installation so as to avoid manual entry.
2. If above point can't be done then may be we should display a message on the console saying that 'Modify /etc/nsswitch.conf file to include subid:nss' to fetch subid/subgid entries.
Comment 2Florence Blanc-Renaud
2022-03-14 13:06:36 UTC
The current behavior looks consistent to me:
if /etc/nsswitch.conf does not set subid: sss, it means that the subuid/subgid ranges are retrieved from the local files /etc/subuid and /etc/subgid.
If there is no range in these files for the provided user, the command returns "Error fetching ranges".
For instance:
[root@vm ~]# cat /etc/subuid
localuser:100000:65536
[root@vm ~]# cat /etc/subgid
localuser:100000:65536
[root@vm ~]# getsubids localuser
0: localuser 100000 65536
[root@vm ~]# getsubids localusernorange
Error fetching ranges
[root@vm ~]#
If the intent of this RFE is rather to automatically configure "subid: sss" in /etc/nsswitch.conf on any IPA client, I guess this should rather be discussed at authselect level, maybe modify the sssd profile or include a new feature to the profile.
@pbrezina @atikhono any opinion on this?
(In reply to Florence Blanc-Renaud from comment #2)
> The current behavior looks consistent to me:
>
> if /etc/nsswitch.conf does not set subid: sss, it means that the
> subuid/subgid ranges are retrieved from the local files /etc/subuid and
> /etc/subgid.
> If there is no range in these files for the provided user, the command
> returns "Error fetching ranges".
Exactly.
> If the intent of this RFE is rather to automatically configure "subid: sss"
> in /etc/nsswitch.conf on any IPA client, I guess this should rather be
> discussed at authselect level, maybe modify the sssd profile or include a
> new feature to the profile.
I agree (we even discussed this with Pavel in the past).
I'd suggest to change component to 'authselect' and update ticket title accordingly.
"Automatically" part is really questionable.
Since shadow-utils doesn't support multiple sources for "subid" field, it should be a user choice if they want SubIDs from local files or from IPA.
Maybe this choice could be even a part of ipa-client-install options?
(In reply to Alexey Tikhonov from comment #4)
> "Automatically" part is really questionable.
>
> Since shadow-utils doesn't support multiple sources for "subid" field, it
> should be a user choice if they want SubIDs from local files or from IPA.
>
> Maybe this choice could be even a part of ipa-client-install options?
@frenaud , what do you think about new option for 'ipa-client-install' (backed up by corresponding authselect option, of course)?
Comment 7Florence Blanc-Renaud
2022-03-24 12:51:49 UTC
> @frenaud , what do you think about new option for
> 'ipa-client-install' (backed up by corresponding authselect option, of
> course)?
The team discussed this point and agrees that it makes sense to add a new ipa-client-install option allowing to configure nsswitch.conf with sss as source for subuids (not enabled by default, only if the option is toggled). I opened BZ #2068088 to track this new option and we can keep this BZ for authselect to provide a new feature to the profile.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (authselect bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2022:7738
Description of problem: getsubids <username> fails with 'Error fetching ranges' when /etc/nsswitch.conf doesn't have 'subid: sss' entry Version-Release number of selected component (if applicable): ipa-server-4.9.8-7.module+el8.6.0+14337+19b76db2.x86_64 shadow-utils-subid-4.6-16.el8.x86_64 How reproducible: Always Steps to Reproduce: 1. Install IPA server. 2. Generate subid for admin user. [root@server ~]# ipa subid-generate --owner=admin 3. Generate subid for regular user. [root@server ~]# ipa subid-generate --owner=test2 4. Now install shadow-utils-subid Actual results: [root@server ~]# ipa subid-find --owner=admin ------------------------ 1 subordinate id matched ------------------------ Unique ID: ec02ba71-cbed-48a7-9f3e-55de36129d6e Owner: admin SubUID range start: 2147483648 SubUID range size: 65536 SubGID range start: 2147483648 SubGID range size: 65536 ---------------------------- Number of entries returned 1 ---------------------------- [root@server ~]# ipa subid-find --owner=test2 ------------------------ 1 subordinate id matched ------------------------ Unique ID: b9e83558-c066-45db-b428-0e01d9227145 Owner: test2 SubUID range start: 2147549184 SubUID range size: 65536 SubGID range start: 2147549184 SubGID range size: 65536 ---------------------------- Number of entries returned 1 ---------------------------- [root@server ~]# getsubids admin Error fetching ranges [root@server ~]# getsubids test2 Error fetching ranges Expected results: Should display range as per the man page. For example, to obtain the subordinate UIDs of the testuser: $ getsubids testuser 0: testuser 100000 65536 This command output provides (in order from left to right) the list index, username, UID range start, and number of UIDs in range. Additional info: 1. Logging this as a bug to check if we can include 'subid: sss' in the nsswitch.conf file automatically during installation so as to avoid manual entry. 2. If above point can't be done then may be we should display a message on the console saying that 'Modify /etc/nsswitch.conf file to include subid:nss' to fetch subid/subgid entries.