Bug 628672 - sssd-ldap: filters me out for unknown reason
sssd-ldap: filters me out for unknown reason
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Stephen Gallagher
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2010-08-30 13:48 EDT by Jan Engelhardt
Modified: 2010-08-30 18:43 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-08-30 14:30:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
sssd_LDAP.log with debug_level=9 (37.87 KB, text/plain)
2010-08-30 13:49 EDT, Jan Engelhardt
no flags Details

  None (edit)
Description Jan Engelhardt 2010-08-30 13:48:03 EDT
Description of problem:
sssd-ldap filters out the user.

Version-Release number of selected component (if applicable):

How reproducible:
A different adventure everytime I try to retrofit an install with sssd.

Additional details:
See attached logfile.
Comment 1 Jan Engelhardt 2010-08-30 13:49:10 EDT
Created attachment 441999 [details]
sssd_LDAP.log with debug_level=9
Comment 2 Stephen Gallagher 2010-08-30 13:53:23 EDT
(Mon Aug 30 18:45:24 2010) [sssd[be[LDAP]]] [sdap_save_user_send] (2): User [jengelh] filtered out! (id out of range)

Your user ID or primary GID is out of range. On SSSD 1.1.0, we had set the default for min_id at 1000 (which means that if either your UID or primary GID were less than 1000, you would be filtered out).

Newer versions default to using a min_id of 1. Try setting:
min_id = 1
in your [domain/LDAP] section in sssd.conf.
Comment 3 Jan Engelhardt 2010-08-30 14:18:51 EDT
Yeah I noticed the default of 1000, which should be ok with my uid.
An nss_ldap system returns:

# id jengelh
uid=2034(jengelh) gid=20(cdrom) groups=20(cdrom)
Comment 4 Stephen Gallagher 2010-08-30 14:30:06 EDT
Please read carefully. You have your primary GID set to 20(cdrom). This is why it is getting filtered out.
Comment 5 Jan Engelhardt 2010-08-30 14:31:52 EDT
I think GID filtering should be separated from the UID filter, like nss_ldap did.
Comment 6 Jan Engelhardt 2010-08-30 14:32:59 EDT
(Indeed, the sssd.conf(5) manpage says about min_id: UID limits for the domain. Nowhere did it mention GID.)
Comment 7 Stephen Gallagher 2010-08-30 14:36:41 EDT
The manpage in newer versions of SSSD has fixed this mistake for some time now.

SSSD 1.1.0 is five months old now.

As I stated above, the resolution is that by default we are not doing UID/GID filtering in newer SSSD versions.
Comment 8 Dmitri Pal 2010-08-30 18:43:18 EDT
We are not documenting them separately because we try to think about them (and encourage everybody share out thinking) as values from one unique number space rather than two values from two different value spaces. While it is natural for UNIX to have them separate it becomes a real pain in the mixed environments or multi domain cases so we think the best approach is to have one global number (and namespace) for users and groups.

Note You need to log in before you can comment on or make changes to this bug.