#2146 sssd can't retrieve auto.master when using the "default_domain_suffix" option in
Closed: Fixed None Opened 5 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1028422

Created attachment 821570
workaround patch

Description of problem:


I would like to preface this bug report that we are aware AD trusts are a tech
preview, but this bug in sssd is present without an AD trust present.  It's
just that the common use case, with an AD trust in place, is where the bug was
exposed.  The "default_domain_suffix" option likely wouldn't be used any other
time.  I have included the sosreport for the IPA server as well, but it's
really not relevant as the bug is in sssd.  On to the bug report...

This bug is present in 6.4 and 6.5 beta.  The sosreport for ipaclient01 is from
6.5 beta.

We have hit a major issue with sssd regarding sssd, autofs and an IPA domain
with an AD trust.  The problem lies within sssd, in that it can't retrieve
autofs maps from an IPA domain that has an AD trust formed when the
"default_domain_suffix" option is used.  It fails to retrieve the map and
automount will segfault when sssd does not respond.

It appears that the "default_domain_suffix" option is being applied to the
auto.master lookup, when it should only be applied to users.

Attempting to fully-qualify the auto.master entry in /etc/auto.master (e.g.,
+auto.master@linux.ad.priv) results in another sssd error, where it's confused
that it got a response but no data.  I'm sure the Red Hat engineers will see
this if they attempt the workaround I did.

The only way to work around this is to disable "default_domain_suffix".  This
is not really acceptable since it's a user-facing change, requiring them to
input their fully-qualified username.


Version-Release number of selected component (if applicable):

Present in RHEL6.4 and RHEL6.5 beta version as well.
sssd-client-1.9.2-82.10.el6_4.x86_64
sssd-1.9.2-82.10.el6_4.x86_64


How reproducible:


Steps to Reproduce:
 - setup IPA
- setup AD
- form trust between IPA and AD, with the IPA domain being a subdomain
(ipa.ad.priv and ad.priv)
- enable nss for automount in /etc/nsswitch.conf
- add the "default_domain_prefix" option in the [sssd] section of sssd.conf
- service sssd restart
- service autofs restart; automount -m
- automount -m will segfault, sssd will not pull the maps from IPA

Actual results:
it can't retrieve autofs maps from an IPA domain that has an AD trust formed
when the "default_domain_suffix" option is used.  It fails to retrieve the map
and automount will segfault when sssd does not respond.

relevant sssd log of the problem:
(Wed Nov  6 08:52:06 2013) [sssd[autofs]] [sss_autofs_cmd_setautomntent]
(0x2000): sss_autofs_cmd_setautomntent
(Wed Nov  6 08:52:06 2013) [sssd[autofs]] [sss_autofs_cmd_setautomntent]
(0x0400): Got request for automount map named auto.master
(Wed Nov  6 08:52:06 2013) [sssd[autofs]] [sss_parse_name_for_domains]
(0x0200): name 'auto.master' matched without domain, user is auto.master
(Wed Nov  6 08:52:06 2013) [sssd[autofs]] [sss_parse_name_for_domains]
(0x0200): default domain [AD.PRIV] is currently not know, trying to look it up.
(Wed Nov  6 08:52:06 2013) [sssd[autofs]] [setautomntent_send] (0x0010):
Invalid name received [auto.master]
(Wed Nov  6 08:52:06 2013) [sssd[autofs]] [sss_autofs_cmd_setautomntent_done]
(0x2000): setautomntent done
(Wed Nov  6 08:52:06 2013) [sssd[autofs]] [sss_autofs_cmd_setautomntent_done]
(0x0020): setautomntent_recv failed


Expected results:
It should retrieve autofs maps from IPA domain.

Additional info:
work around patch is attached

A patch was submitted by the reporter.

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
review: True => 1
selected: =>
testsupdated: => 0

Fields changed

patch: 0 => 1
review: 1 => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.3

resolution: => fixed
status: new => closed

Fields changed

changelog: => This fix makes it possible to use the autofs responder along with the default_domain_suffix option. Previously, enabling the option broke the autofs responder.

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.11.3

2 years ago

Login to comment on this ticket.

Metadata