Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1045188
Created attachment 839236 try all attributes when saving an entry Description of problem: When specifying override_gid on sssd.conf, it will not work if the LDAP server does not return a gid attribute when querying the LDAP user information. Version-Release number of selected component (if applicable): 1.9.2-82.10 How reproducible: Always Steps to Reproduce: 1. Use a LDAP server which does not return a gid (e.g. Tivoli Directory Server) 2. Configure sssd.conf with override_gid, say, 1000 with group 1000 being 'mygroup' in /etc/group 3. Query user information 4. As sssd does not get the gid, it will cease to process user info at this time, not saving it, and getent passwd <user> or any other such command will not work And sorry, but I do not have sssd logs containing the problem because it was solved with a patch that jhrozek sent me which, according to him, was a hack/workaround for the time being. The patch is attached on this bug report. Actual results: no getent / id command working Expected results: getend / id would return the user with the given group Additional info: patch which worked around the problem is attached
In the bug report, Stephen noted the following:
1) It is asserted that if override_gid is being used, we should not fail to save users that have no gid attribute in their LDAP user entry. This would require us to change the search filters we use for finding user entries if override_gid is in use on the domain (currently we intentionally filter out users missing a GID). 2) The workaround that was offered here was to set 'ldap_group_gid = uidNumber' (the same as the UID, so it could then be safely overridden). However, we have a bug in the attribute processing where it ended up not populating both UID and GID (it stopped at the first match). As a result, the user failed to save to sysdb. This is the issue addressed by the attached patch. The second issue is fairly serious, as there may be other times that we need to save the same attribute in two places (such as GECOS and Full Name, for one example). The first issue will have a viable workaround once the second is addressed, so it is lower priority.
This ticket addresses 1) above. The second point is addressed by ticket #2184.
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => review: True => 0 selected: => testsupdated: => 0
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.14 beta rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=1045188 1045188] => [https://bugzilla.redhat.com/show_bug.cgi?id=1045188 1045188] todo
mark: => 0 priority: major => trivial sensitive: => 0
This should be solved by either using ldap_group_gid = uidNumber which works since the ticket was created and also the sss_override tool.
ldap_group_gid = uidNumber
resolution: => worksforme status: new => closed
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=1045188 1045188] todo => [https://bugzilla.redhat.com/show_bug.cgi?id=1045188 1045188]
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 1.14 beta
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3225
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.