Red Hat Bugzilla – Bug 678593
User information not updated on login for secondary domains
Last modified: 2015-01-04 18:46:35 EST
Description of problem: At any PAM action occurring online, SSSD is supposed to perform an initgroups() request to the backend to ensure that user and group memberships are accurate for the login. However, there is a bug identified in 1.5.1 where this lookup is not happening except on the first domain in the list. Version-Release number of selected component (if applicable): sssd-1.5.1-6.el6 How reproducible: Every time Steps to Reproduce: 1. Set up an SSSD configuration with two domains with debug_level = 4 or higher in the [pam] section 3. Log in as a user in the second domain 4. Examine /var/log/sssd/sssd_pam.log Actual results: Only domain1 is checked for user updates. You will see debug message: (Fri Feb 18 09:32:22 2011) [sssd[pam]] [pam_check_user_search] (4): Requesting info for [domain2user@domain1] but not: (Fri Feb 18 09:32:22 2011) [sssd[pam]] [pam_check_user_search] (4): Requesting info for [domain2user@domain2] Expected results: You should see debug messages: (Fri Feb 18 09:32:22 2011) [sssd[pam]] [pam_check_user_search] (4): Requesting info for [domain2user@domain1] (Fri Feb 18 09:32:22 2011) [sssd[pam]] [pam_check_user_search] (4): Requesting info for [domain2user@domain2] Additional info:
sssd.conf: [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = domain1,domain2 debug_level = 9 [nss] filter_groups = root filter_users = root reconnection_retries = 3 debug_level = 9 [pam] reconnection_retries = 3 debug_level = 9 [domain/domain1] id_provider = ldap auth_provider = ldap ldap_uri = ldaps://sssdldap.redhat.com:636 ldap_search_base = dc=example,dc=com ldap_tls_reqcert = demand ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc cache_credentials = true enumerate = false debug_level = 9 [domain/domain2] id_provider = ldap auth_provider = ldap ldap_uri = ldaps://shanksldap.com:636 ldap_search_base = dc=example,dc=com ldap_tls_reqcert = demand ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_cacert = /etc/openldap/cacerts/shanks/cacert.asc cache_credentials = true enumerate = false debug_level = 9 min_id = 59990 max_id = 59999 Snippet of /var/log/sssd/sssd_pam.log: (Fri Apr 8 14:45:59 2011) [sssd[pam]] [pam_check_user_search] (4): Requesting info for [bulkuser59999@domain1] (Fri Apr 8 14:45:59 2011) [sssd[pam]] [pam_check_user_search] (4): Requesting info for [bulkuser59999@domain2] (Fri Apr 8 14:45:59 2011) [sssd[pam]] [pam_check_user_search] (6): Returning info for user [bulkuser59999@domain2] (Fri Apr 8 14:45:59 2011) [sssd[pam]] [pam_check_user_search] (4): Requesting info for [bulkuser59999@domain1] (Fri Apr 8 14:45:59 2011) [sssd[pam]] [pam_check_user_search] (4): Requesting info for [bulkuser59999@domain2] (Fri Apr 8 14:45:59 2011) [sssd[pam]] [pam_check_user_search] (6): Returning info for user [bulkuser59999@domain2] (Fri Apr 8 14:46:01 2011) [sssd[pam]] [pam_check_user_search] (4): Requesting info for [bulkuser59999@domain1] (Fri Apr 8 14:46:01 2011) [sssd[pam]] [pam_check_user_search] (4): Requesting info for [bulkuser59999@domain2] (Fri Apr 8 14:46:01 2011) [sssd[pam]] [pam_check_user_search] (6): Returning info for user [bulkuser59999@domain2] (Fri Apr 8 14:46:13 2011) [sssd[pam]] [pam_check_user_search] (4): Requesting info for [bulkuser59999@domain1] (Fri Apr 8 14:46:19 2011) [sssd[pam]] [pam_check_user_search] (4): Requesting info for [bulkuser59999@domain2] (Fri Apr 8 14:46:19 2011) [sssd[pam]] [pam_check_user_search] (6): Returning info for user [bulkuser59999@domain2] (Fri Apr 8 14:46:24 2011) [sssd[pam]] [pam_check_user_search] (4): Requesting info for [bulkuser59999@domain1] (Fri Apr 8 14:46:28 2011) [sssd[pam]] [pam_check_user_search] (4): Requesting info for [bulkuser59999@domain2] (Fri Apr 8 14:46:28 2011) [sssd[pam]] [pam_check_user_search] (6): Returning info for user [bulkuser59999@domain2] (Fri Apr 8 14:46:28 2011) [sssd[pam]] [pam_check_user_search] (4): Requesting info for [bulkuser59999@domain1] (Fri Apr 8 14:46:28 2011) [sssd[pam]] [pam_check_user_search] (4): Requesting info for [bulkuser59999@domain2] (Fri Apr 8 14:46:28 2011) [sssd[pam]] [pam_check_user_search] (6): Returning info for user [bulkuser59999@domain2] Verified in: # rpm -qi sssd | head Name : sssd Relocations: (not relocatable) Version : 1.5.1 Vendor: Red Hat, Inc. Release : 24.el6 Build Date: Sat 02 Apr 2011 01:24:54 AM IST Install Date: Tue 05 Apr 2011 11:11:29 AM IST Build Host: x86-012.build.bos.redhat.com Group : Applications/System Source RPM: sssd-1.5.1-24.el6.src.rpm Size : 3462740 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://fedorahosted.org/sssd/ Summary : System Security Services Daemon
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-0560.html