Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/1169 {{{ (Tue Jan 24 15:30:20 2012) [sssd[be[EXAMPLE.COM]]] [sysdb_search_users] (0x0400): Search users with filter: (&(objectclass=user)(originalDN=CN=U329266,OU=site,OU=Users,OU=Accounts,DC=example,DC=com)) (Tue Jan 24 15:30:20 2012) [sssd[be[EXAMPLE.COM]]] [sysdb_search_users] (0x0400): No such entry (Tue Jan 24 15:30:20 2012) [sssd[be[EXAMPLE.COM]]] [sysdb_attrs_primary_name] (0x0020): Could not determine primary name: [22][Invalid argument] (Tue Jan 24 15:30:20 2012) [sssd[be[EXAMPLE.COM]]] [sdap_nested_group_populate_users] (0x0020): User entry 7 has no name attribute }}} In this case, we are talking to an Active Directory server that had some entries in its search filter that were missing the msSFU30Name attribute. When we were processing a group that contained this user, we would encounter the {{{"Could not determine primary name: [22][Invalid argument]"}}} error and fail. The proper behaviour should be to skip incomplete POSIX entries.
Verified in version: # rpm -qi sssd | head Name : sssd Relocations: (not relocatable) Version : 1.8.0 Vendor: Red Hat, Inc. Release : 22.el6 Build Date: Mon 09 Apr 2012 07:40:33 PM IST Install Date: Mon 16 Apr 2012 04:57:02 PM IST Build Host: x86-003.build.bos.redhat.com Group : Applications/System Source RPM: sssd-1.8.0-22.el6.src.rpm Size : 7870660 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://fedorahosted.org/sssd/ Summary : System Security Services Daemon
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: SSSD expects all users in a POSIX-enabled Active Directory group to be POSIX-enabled users. Consequence: If some members of a POSIX-enabled group were lacking the POSIX username attribute, SSSD would return an error when looking up that group. Fix: SSSD ignores non-POSIX group members. Result: SSSD will now return all POSIX-enabled group members and silently ignore non-POSIX members instead of failing the lookup and returning nothing.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0747.html