#1249 Unable to lookup user aliases with proxy provider.
Closed: Fixed None Opened 8 years ago by jhrozek.

https://bugzilla.redhat.com/show_bug.cgi?id=802718 (Red Hat Enterprise Linux 6)

Description of problem:
Unable to lookup user aliases with proxy provider.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Add a user in ldap server as:
dn: uid=User_CS1,ou=Users,dc=example,dc=com
uidNumber: 1111111
gidNumber: 1111111
objectClass: posixAccount
objectClass: account
cn: User_CS1
homeDirectory: /home/user_cs1
userPassword: Secret123
uid: User_CS1_Alias

2. Configure proxy provider domain in sssd as follows:

id_provider = proxy
case_sensitive = true
proxy_lib_name = ldap
proxy_pam_target = sssdproxyldap

3. Lookup user & alias via nss_ldap:

# getent -s ldap passwd User_CS1_Alias
# getent -s ldap passwd User_CS1

4. Lookup user & alias via nss_sss:

# getent -s sss passwd User_CS1_Alias
# getent -s sss passwd User_CS1    <== Doesn't return anything.

Actual results:
Unable to lookup user aliases.

sssd_PROXY.log shows:
(Tue Mar 13 14:04:01 2012) [sssd[be[PROXY]]] [sysdb_add_user] (0x0400): Error:
17 (File exists)
(Tue Mar 13 14:04:01 2012) [sssd[be[PROXY]]] [ldb] (0x4000): cancel ldb
transaction (nesting: 1)
(Tue Mar 13 14:04:01 2012) [sssd[be[PROXY]]] [ldb] (0x4000): cancel ldb
transaction (nesting: 0)
(Tue Mar 13 14:04:01 2012) [sssd[be[PROXY]]] [sysdb_store_user] (0x0400):
Error: 17 (File exists)
(Tue Mar 13 14:04:01 2012) [sssd[be[PROXY]]] [save_user] (0x0040): Could not
add user to cache
(Tue Mar 13 14:04:01 2012) [sssd[be[PROXY]]] [get_pw_name] (0x0040): proxy ->
getpwnam_r failed for 'User_CS1' <1>
(Tue Mar 13 14:04:01 2012) [sssd[be[PROXY]]] [acctinfo_callback] (0x0100):
Request processed. Returned 3,17,Internal Error (Failure setting user

Expected results:
Should be able to lookup user aliases.

Additional info:

Jakub and I discussed this on IRC and we came up with the following plan:

We will modify the proxy provider lookup routine so that it will perform two lookups, instead of just one. The first lookup will be the standard {{{getpwnam()}}} call against the NSS libary. However, once we get that result, we will also perform a {{{getpwuid()}}} call against the NSS library with the UID returned by the first lookup.

We will then treat the result of the getpwuid() call as the definitive answer as to the primary username. The results of that lookup will be saved to the sysdb and the originally-requested name will be added as an alias.

The same behavior should be performed on group lookups.

We are aware that this will introduce a reduction in cache-miss performance to the proxy provider, but after discussion we decided on two things:
1. The proxy provider is a migration tool and provides no performance guarantees
1. We would prefer to prioritize correctness over speed.

blockedby: =>
blocking: =>
component: SSSD => Proxy Provider
coverity: =>
feature_milestone: =>
tests: => 0
testsupdated: => 0
upgrade: => 0
version: => 1.8.1

Fields changed

owner: somebody => jhrozek

Fields changed

status: new => assigned

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.8.2 (LTM)
priority: major => minor

Fields changed

patch: 0 => 1

Patch isn't sufficient and needs some rework. I'm going to bump this out to 1.8.3. It's not a blocker for 1.8.2 release.

milestone: SSSD 1.8.2 (LTM) => SSSD 1.8.3 (LTM)

Fixed in master:
- 28d1ff2
- 5177368

And in sssd-1-8:
- 389b3b4
- 2958af2

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.8.3 (LTM)

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2291

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.