#2723 Could not resolve AD user from root domain
Closed: Fixed None Opened 4 years ago by lslebodn.

There are more administrator users: id administrator @child1.sssdad.com and id administrator @sssdad.com.

sssd is joined to the child domain.

[sssd]
config_file_version = 2
services = nss, pam
domains = child1.sssdad.com

[nss]
default_shell = /bin/bash

[domain/child1.sssdad.com]
debug_level = 0xFFF0
id_provider = ad
ad_domain = child1.sssdad.com
cache_credentials = True
krb5_store_password_if_offline = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u

but user from root domain administrator @sssdad.com cannot be resolved.
It might be cause by fact that user is stored in different domain

[root@ibm-x3650-03 sssd]# ldbsearch -H /var/lib/sss/db/cache_child1.sssdad.com.ldb "(name=Administrator)"
ldb: unable to dlopen /usr/lib64/ldb/modules/ldb/memberof.la : /usr/lib64/ldb/modules/ldb/memberof.la: invalid ELF header
asq: Unable to register control with rootdse!
# record 1
dn: name=Administrator,cn=users,cn=child1.sssdad.com,cn=sysdb
createTimestamp: 1437407347
fullName: Administrator
gecos: Administrator
gidNumber: 369600513
name: Administrator
objectClass: user
uidNumber: 369600500
objectSIDString: S-1-5-21-4212360905-986714573-1256250948-500
uniqueID: 16c36a5f-e2ec-49cd-a2ab-742b03d3adde
originalDN: CN=Administrator,CN=Users,DC=child1,DC=sssdad,DC=com
originalMemberOf: CN=Group Policy Creator Owners,CN=Users,DC=child1,DC=sssdad,
 DC=com
originalMemberOf: CN=Domain Admins,CN=Users,DC=child1,DC=sssdad,DC=com
originalMemberOf: CN=Administrators,CN=Builtin,DC=child1,DC=sssdad,DC=com
originalModifyTimestamp: 20150718152922.0Z
entryUSN: 768294
adUserAccountControl: 66048
nameAlias: administrator
lastUpdate: 1437407347
dataExpireTimestamp: 1437412747
distinguishedName: name=Administrator,cn=users,cn=child1.sssdad.com,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals

Fields changed

description: There are more administrator users: id administrator@child1.sssdad.com and id administrator@sssdad.com.

sssd is joined to the child domain.
{{{
[sssd]
config_file_version = 2
services = nss, pam
domains = child1.sssdad.com

[nss]
default_shell = /bin/bash

[domain/child1.sssdad.com]
debug_level = 0xFFF0
id_provider = ad
ad_domain = child1.sssdad.com
cache_credentials = True
krb5_store_password_if_offline = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
}}}

but user from root domain '''administrator@sssdad.com''' cannot be resolved.
It might be cause by fact that user is stored in different domain
{{{
[root@ibm-x3650-03 sssd]# ldbsearch -H /var/lib/sss/db/cache_child1.sssdad.com.ldb "(name=Administrator)"
ldb: unable to dlopen /usr/lib64/ldb/modules/ldb/memberof.la : /usr/lib64/ldb/modules/ldb/memberof.la: invalid ELF header
asq: Unable to register control with rootdse!

record 1

dn: name=Administrator,cn=users,cn=child1.sssdad.com,cn=sysdb
createTimestamp: 1437407347
fullName: Administrator
gecos: Administrator
gidNumber: 369600513
name: Administrator
objectClass: user
uidNumber: 369600500
objectSIDString: S-1-5-21-4212360905-986714573-1256250948-500
uniqueID: 16c36a5f-e2ec-49cd-a2ab-742b03d3adde
originalDN: CN=Administrator,CN=Users,DC=child1,DC=sssdad,DC=com
originalMemberOf: CN=Group Policy Creator Owners,CN=Users,DC=child1,DC=sssdad,
DC=com
originalMemberOf: CN=Domain Admins,CN=Users,DC=child1,DC=sssdad,DC=com
originalMemberOf: CN=Administrators,CN=Builtin,DC=child1,DC=sssdad,DC=com
originalModifyTimestamp: 20150718152922.0Z
entryUSN: 768294
adUserAccountControl: 66048
nameAlias: administrator
lastUpdate: 1437407347
dataExpireTimestamp: 1437412747
distinguishedName: name=Administrator,cn=users,cn=child1.sssdad.com,cn=sysdb

returned 1 records

1 entries

0 referrals

}}}
=> There are more administrator users: id ''administrator @child1.sssdad.com'' and id ''administrator @sssdad.com''.

sssd is joined to the child domain.
{{{
[sssd]
config_file_version = 2
services = nss, pam
domains = child1.sssdad.com

[nss]
default_shell = /bin/bash

[domain/child1.sssdad.com]
debug_level = 0xFFF0
id_provider = ad
ad_domain = child1.sssdad.com
cache_credentials = True
krb5_store_password_if_offline = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
}}}

but user from root domain ''administrator @sssdad.com'' cannot be resolved.
It might be cause by fact that user is stored in different domain
{{{
[root@ibm-x3650-03 sssd]# ldbsearch -H /var/lib/sss/db/cache_child1.sssdad.com.ldb "(name=Administrator)"
ldb: unable to dlopen /usr/lib64/ldb/modules/ldb/memberof.la : /usr/lib64/ldb/modules/ldb/memberof.la: invalid ELF header
asq: Unable to register control with rootdse!

record 1

dn: name=Administrator,cn=users,cn=child1.sssdad.com,cn=sysdb
createTimestamp: 1437407347
fullName: Administrator
gecos: Administrator
gidNumber: 369600513
name: Administrator
objectClass: user
uidNumber: 369600500
objectSIDString: S-1-5-21-4212360905-986714573-1256250948-500
uniqueID: 16c36a5f-e2ec-49cd-a2ab-742b03d3adde
originalDN: CN=Administrator,CN=Users,DC=child1,DC=sssdad,DC=com
originalMemberOf: CN=Group Policy Creator Owners,CN=Users,DC=child1,DC=sssdad,
DC=com
originalMemberOf: CN=Domain Admins,CN=Users,DC=child1,DC=sssdad,DC=com
originalMemberOf: CN=Administrators,CN=Builtin,DC=child1,DC=sssdad,DC=com
originalModifyTimestamp: 20150718152922.0Z
entryUSN: 768294
adUserAccountControl: 66048
nameAlias: administrator
lastUpdate: 1437407347
dataExpireTimestamp: 1437412747
distinguishedName: name=Administrator,cn=users,cn=child1.sssdad.com,cn=sysdb

returned 1 records

1 entries

0 referrals

}}}

It worked for me on sssd-1.13.0. So I "git bisect" it. the first problematic commit is b9e74a7

commit b9e74a747b8f1012bba3575f3e4289ef4877d64a
Author: Jakub Hrozek <jhrozek@redhat.com>
Date:   Wed Jun 17 16:13:51 2015 +0200

    LDAP: Add the wildcard_limit option

    Related:
        https://fedorahosted.org/sssd/ticket/2553

    Adds a new wildcard_limit option that is set by default to 1000 (one
    page). This option limits the number of entries that can by default be
    returned by a wildcard search.

    Reviewed-by: Pavel Březina <pbrezina@redhat.com>
}}}

Fields changed

owner: somebody => jhrozek
status: new => assigned

Fields changed

patch: 0 => 1

Fields changed

rhbz: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13.1

Fields changed

rhbz: 0 =>

resolution: => fixed
status: assigned => closed

Metadata Update from @lslebodn:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.13.1

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3764

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata