Bug 773706 - SSSD fails during autodetection of search bases for new LDAP features
SSSD fails during autodetection of search bases for new LDAP features
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
16
All Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Stephen Gallagher
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 784870
  Show dependency treegraph
 
Reported: 2012-01-12 11:57 EST by Orion Poplawski
Modified: 2012-03-17 19:43 EDT (History)
4 users (show)

See Also:
Fixed In Version: sssd-1.8.1-7.fc16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 784870 (view as bug list)
Environment:
Last Closed: 2012-03-01 20:17:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
sssd logs (10.93 KB, application/x-gzip)
2012-01-12 11:57 EST, Orion Poplawski
no flags Details

  None (edit)
Description Orion Poplawski 2012-01-12 11:57:26 EST
Created attachment 552449 [details]
sssd logs

Description of problem:

With sssd-1.7.0-1.fc16.i686 I'm getting expired kerberos tickets on login.

It appears to not setup the ldap server properly.
Comment 1 Stephen Gallagher 2012-01-12 13:23:21 EST
The issue here is that the LDAP server in question has multiple entries for 'namingContexts' in the rootDSE, but does not have a 'defaultNamingContext' attribute to identify which is the primary.

However, this should only be necessary if there are ldap_*_search_base attributes that were not populated by the config file. In this particular user's case, the ldap_search_base option is in use, which should be sufficient.

So the correct fix here is to identify why we're caring about the inability to identify the default naming context, since we aren't using it for anything.

Thanks for the bug report.
Comment 2 Stephen Gallagher 2012-01-26 07:50:51 EST
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1152
Comment 3 Stephen Gallagher 2012-01-26 15:23:11 EST
Ok, I see what's happening here now. You have "ldap_user_search_base", "ldap_group_search_base" and "ldap_netgroup_search_base".

However, SSSD 1.7.0 added another option "ldap_sudo_search_base" (which wasn't supposed to be exposed in the default build, since it's experimental).

The safest workaround at the moment is to just specify "ldap_search_base", since that serves as the default base for any others we might add (such as "ldap_services_search_base" which is coming in SSSD 1.8.0.)


The reason we don't fail at startup is because we assume that any search base not specified is going to auto-detect from the LDAP server's RootDSE namingContexts attribute. In your case, that entry isn't safe to use (because there are multiple namingContexts attributes and no way to determine which is the correct one).

I'm going to update https://fedorahosted.org/sssd/ticket/1152 to propose that we should fail at startup if only a subset of the search bases are specified in the config file (and "ldap_search_base" isn't set for default values).

I'll also open a new ticket to track allowing multiple namingContexts values to set multiple search bases.
Comment 4 Stephen Gallagher 2012-01-26 15:35:30 EST
https://fedorahosted.org/sssd/ticket/1155 is the ticket to track the multiple search bases.
Comment 5 Orion Poplawski 2012-01-27 11:00:19 EST
I already am setting ldap_search_base and that's the only search_base I'm setting:

# grep -F search_base /etc/sssd/sssd.conf 
ldap_search_base = dc=nwra,dc=com

Wasn't sure if this was in line with your analysis above.
Comment 6 Stephen Gallagher 2012-01-27 11:23:39 EST
Hmm, you're right. I originally thought it was unset (looking at the logs), but I now see otherwise.

Ok, then the real bug here is that the SUDO search base isn't being set to the ldap_search_base. I'll look into why that is.

Thanks for the information.
Comment 7 Fedora Update System 2012-02-01 16:00:48 EST
sssd-1.7.0-3.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/FEDORA-2012-0237/sssd-1.7.0-3.fc16
Comment 8 Fedora Update System 2012-02-05 16:51:15 EST
Package sssd-1.7.0-5.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.7.0-5.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-0237/sssd-1.7.0-5.fc16
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2012-02-22 09:36:37 EST
sssd-1.8.0-5.fc17.beta3 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/sssd-1.8.0-5.fc17.beta3
Comment 10 Fedora Update System 2012-02-22 12:45:36 EST
Package sssd-1.8.0-5.fc17.beta3:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.8.0-5.fc17.beta3'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-2196/sssd-1.8.0-5.fc17.beta3
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2012-02-23 17:28:40 EST
Package sssd-1.8.0-5.fc17.beta3.1:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.8.0-5.fc17.beta3.1'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-2196/sssd-1.8.0-5.fc17.beta3.1
then log in and leave karma (feedback).
Comment 12 Fedora Update System 2012-02-23 19:34:23 EST
sssd-1.8.0-5.fc17.beta3.1 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/FEDORA-2012-2196/sssd-1.8.0-5.fc17.beta3.1
Comment 13 Fedora Update System 2012-02-28 16:09:55 EST
sssd-1.8.0-6.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/sssd-1.8.0-6.fc16
Comment 14 Fedora Update System 2012-03-01 04:22:26 EST
Package sssd-1.8.0-6.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.8.0-6.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-2725/sssd-1.8.0-6.fc16
then log in and leave karma (feedback).
Comment 15 Fedora Update System 2012-03-01 20:17:06 EST
sssd-1.8.0-6.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2012-03-17 19:43:53 EDT
sssd-1.8.1-7.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.