Bug 2219138
| Summary: | [RFE] ipa user-add should warn when it cannot create a SID because uid is out of range | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | tru |
| Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> |
| Status: | CLOSED MIGRATED | QA Contact: | ipa-qe |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.2 | CC: | rcritten, tscherf, youssef.ghorbal |
| Target Milestone: | rc | Keywords: | FutureFeature, MigratedToJIRA |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-09-18 22:58:56 UTC | Type: | Story |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
tru
2023-07-02 12:23:13 UTC
The sidgen plugin (the plugin that is generating the ipantsecurityidentifier) is triggered on user creation, even if --uid is provided. But it can generate a SID only if the uid is within an existing id range. Can you check on your installation: - which ID ranges are defined: # kinit admin # ipa idrange-find - if there is an error in the directory server error logs (/var/log/dirsrv/slap-DOMAIN-NAME/errors) similar to the following when a new user is created with a provided uid: [03/Jul/2023:06:19:27.761510134 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [2000] into an unused SID. [03/Jul/2023:06:19:27.765214399 +0000] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 149]: Cannot add SID to new entry. Hello Florence That make sense, RFE some warning/errors should be shown when the ipantsecurityidentifier is not generated as expected. Here is the info requested: ``` [truadm@wd22-2025 ~]$ ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: RHEL9.SIA_id_range First Posix ID of the range: 1759400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range Range name: RHEL9.SIA_subid_range First Posix ID of the range: 2147483648 Number of IDs in the range: 2147352576 First RID of the corresponding RID range: 2147283648 Domain SID of the trusted domain: S-1-5-21-738065-838566-1547823303 Range type: Active Directory domain range ---------------------------- Number of entries returned 2 ---------------------------- ``` /var/log/dirsrv/slapd-RHEL9-SIA/errors: ``` [02/Jul/2023:13:33:08.170775670 +0200] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [2000] into an unused SID. [02/Jul/2023:13:33:08.171286895 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 149]: Cannot add SID to new entry. [02/Jul/2023:13:37:36.738145777 +0200] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [2000] into an unused SID. [02/Jul/2023:13:37:36.738663137 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 149]: Cannot add SID to new entry. ``` The IPA SIDGEN plugin is defined as a postoperation plugin => when IPA gets the result of the add/modify operation, the plugin may have not be executed yet and IPA has no idea whether the sid generation succeeds or fails. We have multiple options here: - when a uid/gid is provided (user-add/user-mod/group-add/group-mod), check if the uid/gid is outside of the defined ranges. If outside, add a warning but create the user or group anyway - when a uid/gid is provided (user-add/user-mod/group-add/group-mod), check if the uid/gid is outside of the defined ranges. If outside, refuse to create the user/group - evaluate the cost of rewriting the plugin as a transaction post-op plugin. To be discussed at team level. I have installed a fresh Fedora 38 and this is also the case:
[truadm@ipa ~]$ rpm -q freeipa-server freeipa-client
freeipa-server-4.10.1-4.fc38.x86_64
freeipa-client-4.10.1-4.fc38.x86_64
[truadm@lts2004-nuc ~]$ klist
Ticket cache: KCM:1000
Default principal: admin
Valid starting Expires Service principal
07/04/2023 09:02:00 07/05/2023 08:20:50 krbtgt/HOME.LAN
[truadm@nuc ~]$ ipa user-add toto --first=t --last=oto
-----------------
Added user "toto"
-----------------
User login: toto
First name: t
Last name: oto
Full name: t oto
Display name: t oto
Initials: to
Home directory: /home/toto
GECOS: t oto
Login shell: /bin/sh
Principal name: toto
Principal alias: toto
Email address: toto
UID: 1779600003
GID: 1779600003
Password: False
Member of groups: ipausers
Kerberos keys available: False
[truadm@nuc ~]$ ipa user-find toto --all
--------------
1 user matched
--------------
dn: uid=toto,cn=users,cn=accounts,dc=home,dc=lan
User login: toto
First name: t
Last name: oto
Full name: t oto
Display name: t oto
Initials: to
Home directory: /home/toto
GECOS: t oto
Login shell: /bin/sh
Principal name: toto
Principal alias: toto
Email address: toto
UID: 1779600003
GID: 1779600003
Account disabled: False
Preserved user: False
Member of groups: ipausers
ipantsecurityidentifier: S-1-5-21-1964266303-1880706590-3447306255-1003
ipauniqueid: b95e6950-1a38-11ee-8b4f-c03fd56b882d
mepmanagedentry: cn=toto,cn=groups,cn=accounts,dc=home,dc=lan
objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs
----------------------------
Number of entries returned 1
----------------------------
[truadm@nuc ~]$ ipa user-del toto
-------------------
Deleted user "toto"
-------------------
[truadm@nuc ~]$ ipa user-add toto --first=t --last=oto --uid=2000
-----------------
Added user "toto"
-----------------
User login: toto
First name: t
Last name: oto
Full name: t oto
Display name: t oto
Initials: to
Home directory: /home/toto
GECOS: t oto
Login shell: /bin/sh
Principal name: toto
Principal alias: toto
Email address: toto
UID: 2000
GID: 2000
Password: False
Member of groups: ipausers
Kerberos keys available: False
[truadm@nuc ~]$ ipa user-find toto --all
--------------
1 user matched
--------------
dn: uid=toto,cn=users,cn=accounts,dc=home,dc=lan
User login: toto
First name: t
Last name: oto
Full name: t oto
Display name: t oto
Initials: to
Home directory: /home/toto
GECOS: t oto
Login shell: /bin/sh
Principal name: toto
Principal alias: toto
Email address: toto
UID: 2000
GID: 2000
Account disabled: False
Preserved user: False
Member of groups: ipausers
ipauniqueid: ce0ae8a6-1a38-11ee-ba39-c03fd56b882d
mepmanagedentry: cn=toto,cn=groups,cn=accounts,dc=home,dc=lan
objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry
----------------------------
Number of entries returned 1
----------------------------
can this be RFE upstream too?
Thanks
Tru
(In reply to tru from comment #5) > can this be RFE upstream too? ipa development is done upstream first. When the team decides on a proper way to fix the issue, the patch will be submitted with an upstream PR to https://github.com/freeipa/freeipa/ and the code merged to https://pagure.io/freeipa. Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug. This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there. Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information. To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like: "Bugzilla Bug" = 1234567 In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information. |