SSSD / sssd

#2723 Could not resolve AD user from root domain

Closed: Fixed None Opened 4 years ago by lslebodn.

There are more administrator users: id administrator @child1.sssdad.com and id administrator @sssdad.com.

sssd is joined to the child domain.

[sssd]
config_file_version = 2
services = nss, pam
domains = child1.sssdad.com

[nss]
default_shell = /bin/bash

[domain/child1.sssdad.com]
debug_level = 0xFFF0
id_provider = ad
ad_domain = child1.sssdad.com
cache_credentials = True
krb5_store_password_if_offline = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u

but user from root domain administrator @sssdad.com cannot be resolved.
It might be cause by fact that user is stored in different domain

[root@ibm-x3650-03 sssd]# ldbsearch -H /var/lib/sss/db/cache_child1.sssdad.com.ldb "(name=Administrator)"
ldb: unable to dlopen /usr/lib64/ldb/modules/ldb/memberof.la : /usr/lib64/ldb/modules/ldb/memberof.la: invalid ELF header
asq: Unable to register control with rootdse!
# record 1
dn: name=Administrator,cn=users,cn=child1.sssdad.com,cn=sysdb
createTimestamp: 1437407347
fullName: Administrator
gecos: Administrator
gidNumber: 369600513
name: Administrator
objectClass: user
uidNumber: 369600500
objectSIDString: S-1-5-21-4212360905-986714573-1256250948-500
uniqueID: 16c36a5f-e2ec-49cd-a2ab-742b03d3adde
originalDN: CN=Administrator,CN=Users,DC=child1,DC=sssdad,DC=com
originalMemberOf: CN=Group Policy Creator Owners,CN=Users,DC=child1,DC=sssdad,
 DC=com
originalMemberOf: CN=Domain Admins,CN=Users,DC=child1,DC=sssdad,DC=com
originalMemberOf: CN=Administrators,CN=Builtin,DC=child1,DC=sssdad,DC=com
originalModifyTimestamp: 20150718152922.0Z
entryUSN: 768294
adUserAccountControl: 66048
nameAlias: administrator
lastUpdate: 1437407347
dataExpireTimestamp: 1437412747
distinguishedName: name=Administrator,cn=users,cn=child1.sssdad.com,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals

lslebodn commented 4 years ago

Fields changed

description: There are more administrator users: id administrator@child1.sssdad.com and id administrator@sssdad.com.

sssd is joined to the child domain.
{{{
[sssd]
config_file_version = 2
services = nss, pam
domains = child1.sssdad.com

[nss]
default_shell = /bin/bash

[domain/child1.sssdad.com]
debug_level = 0xFFF0
id_provider = ad
ad_domain = child1.sssdad.com
cache_credentials = True
krb5_store_password_if_offline = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
}}}

but user from root domain '''administrator@sssdad.com''' cannot be resolved.
It might be cause by fact that user is stored in different domain
{{{
[root@ibm-x3650-03 sssd]# ldbsearch -H /var/lib/sss/db/cache_child1.sssdad.com.ldb "(name=Administrator)"
ldb: unable to dlopen /usr/lib64/ldb/modules/ldb/memberof.la : /usr/lib64/ldb/modules/ldb/memberof.la: invalid ELF header
asq: Unable to register control with rootdse!

record 1

dn: name=Administrator,cn=users,cn=child1.sssdad.com,cn=sysdb
createTimestamp: 1437407347
fullName: Administrator
gecos: Administrator
gidNumber: 369600513
name: Administrator
objectClass: user
uidNumber: 369600500
objectSIDString: S-1-5-21-4212360905-986714573-1256250948-500
uniqueID: 16c36a5f-e2ec-49cd-a2ab-742b03d3adde
originalDN: CN=Administrator,CN=Users,DC=child1,DC=sssdad,DC=com
originalMemberOf: CN=Group Policy Creator Owners,CN=Users,DC=child1,DC=sssdad,
DC=com
originalMemberOf: CN=Domain Admins,CN=Users,DC=child1,DC=sssdad,DC=com
originalMemberOf: CN=Administrators,CN=Builtin,DC=child1,DC=sssdad,DC=com
originalModifyTimestamp: 20150718152922.0Z
entryUSN: 768294
adUserAccountControl: 66048
nameAlias: administrator
lastUpdate: 1437407347
dataExpireTimestamp: 1437412747
distinguishedName: name=Administrator,cn=users,cn=child1.sssdad.com,cn=sysdb

returned 1 records

1 entries

0 referrals

}}}
=> There are more administrator users: id ''administrator @child1.sssdad.com'' and id ''administrator @sssdad.com''.

sssd is joined to the child domain.
{{{
[sssd]
config_file_version = 2
services = nss, pam
domains = child1.sssdad.com

[nss]
default_shell = /bin/bash

but user from root domain ''administrator @sssdad.com'' cannot be resolved.
It might be cause by fact that user is stored in different domain
{{{
[root@ibm-x3650-03 sssd]# ldbsearch -H /var/lib/sss/db/cache_child1.sssdad.com.ldb "(name=Administrator)"
ldb: unable to dlopen /usr/lib64/ldb/modules/ldb/memberof.la : /usr/lib64/ldb/modules/ldb/memberof.la: invalid ELF header
asq: Unable to register control with rootdse!

record 1

returned 1 records

1 entries

0 referrals

}}}

lslebodn commented 4 years ago

ldap_child.log
ldap_child.log

lslebodn commented 4 years ago

domain log
sssd_child1.sssdad.com.log

lslebodn commented 4 years ago

It worked for me on sssd-1.13.0. So I "git bisect" it. the first problematic commit is b9e74a7

commit b9e74a747b8f1012bba3575f3e4289ef4877d64a
Author: Jakub Hrozek <jhrozek@redhat.com>
Date:   Wed Jun 17 16:13:51 2015 +0200

    LDAP: Add the wildcard_limit option

    Related:
        https://fedorahosted.org/sssd/ticket/2553

    Adds a new wildcard_limit option that is set by default to 1000 (one
    page). This option limits the number of entries that can by default be
    returned by a wildcard search.

    Reviewed-by: Pavel Březina <pbrezina@redhat.com>
}}}