#2635 ID mapping does not wotk with disabled subdomains
Closed: Fixed None Opened 4 years ago by lslebodn.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1211714

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Here is the most interesting part of log file
[be_get_account_info] (0x0100): Got request for [4097][1][name=hdpadmin]
[be_req_set_domain] (0x0400): Changing request domain from [SUB.EXAMPLE.TEST] to [SUB.EXAMPLE.TEST]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)]
[sdap_id_op_connect_step] (0x4000): reusing cached connection
[sdap_search_user_next_base] (0x0400): Searching for users with base [DC=sub,DC=EXAMPLE,DC=TEST]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=hdpadmin)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][DC=sub,DC=EXAMPLE,DC=TEST].
[sdap_search_user_process] (0x0400): Search for users, returned 0 results.
[sdap_get_users_done] (0x0040): Failed to retrieve users

I can see:
* request for user hdpadmin (getpwnam)
* there is a problem with parsing domain SID. It is null, but I don't know why.
* we try to find POSIX attributes in ldap because there was problem with id mapping. Of course it did not find anything.



There was an error:
[sssd[be[SUB.EXAMPLE.TEST]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Cannot find KDC for requested realm)]

The proposed workaround for disabling subdomains should have fixed it.
"subdomains_provider = none"

However there is bug in sssd that id mapping does not work correctly with disabled subdomains.

I tried to manually configure ldap_idmap_default_domain and ldap_idmap_default_domain_sid but it fix id mapping just partially.
It works just for users which have POSIX attributes.
>calling ldap_search_ext with [(&(sAMAccountName=hdpadmin)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][DC=sub,DC=EXAMPLE,DC=TEST].

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => lslebodn
patch: 0 => 1
review: True => 0
selected: =>
status: new => assigned
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.12.5

resolution: => fixed
status: assigned => closed

Metadata Update from @lslebodn:
- Issue assigned to lslebodn
- Issue set to the milestone: SSSD 1.12.5

2 years ago

Login to comment on this ticket.

Metadata