#2472 supplemental group resolution fails with sssd 1.11.6-30.el6 with id_provider=ldap connected to AD
Closed: Duplicate None Opened 4 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1155283

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
supplemental group resolution fails with sssd 1.11.6-30.el6

Version-Release number of selected component (if applicable):
sssd 1.11.6-30.el6

How reproducible:
100%


Additional info:
In 6.6, we switched to using TokenGroups to resolve even POSIX groups for
performance reasons. In 6.5 and earlier, we only used TokenGroups if ID mapping
was in use, not POSIX attributes.

But we fail the initgroups operation for one reason or another.

Workaround can be used as.

ldap_use_tokengroups = False

This problem is fixed by commit f834f71 (master), which was created as a solution of ticket #2361.

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

owner: somebody => lslebodn

Fields changed

summary: supplemental group resolution fails with sssd 1.11.6-30.el6 => supplemental group resolution fails with sssd 1.11.6-30.el6 with id_provider=ldap connected to AD

We just need to push f834f71 into sssd-1-11

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.8

resolution: => fixed
status: new => closed

Apologies if this is the wrong place, but even after the latest sssd release on RHEL6 (sssd-1.11.6-30.el6_6.3.x86_64) I'm still getting intermittent problems with users having no supplemental groups. I have a case open with Red Hat Support, but I'm not getting very far, partly because it's so intermittent.

Is there anything else I can do to get this investigated further? Where is the right place to discuss this?

Replying to [comment:7 jberanek]:

Apologies if this is the wrong place, but even after the latest sssd release on RHEL6 (sssd-1.11.6-30.el6_6.3.x86_64) I'm still getting intermittent problems with users having no supplemental groups. I have a case open with Red Hat Support, but I'm not getting very far, partly because it's so intermittent.

I'm sorry to hear that. The patch from this ticket was reverted in upstream because it caused regressions with dereferencing attributes from OpenLDAP server.

Is there anything else I can do to get this investigated further? Where is the right place to discuss this?

But there is another patch in rhel6.6 which shoudl fix this problem as well #2483 (it fixes problem with Active Directory and ldap provider)

You can get faster response from upstream if you send mail to sssd-users mailing list.

Fields changed

cc: => john@redux.org.uk

Replying to [comment:6 jhrozek]:

Previous patches were reverted by:

Fields changed

resolution: fixed =>
status: closed => reopened

The comment 10 says that patches were reverted,
but bug was fixed in different ticket #2483.

Therefore changing state from closed:fixed to closed:duplicate

resolution: => duplicate
status: reopened => closed

Metadata Update from @jhrozek:
- Issue assigned to lslebodn
- Issue set to the milestone: SSSD 1.11.8

2 years ago

Login to comment on this ticket.

Metadata