#3365 Failure to filter out AD subdomain with flatname is used

Created a year ago by jstephen
Modified a year ago

SSSD fails to filter out the child domain it is connected to when domain flatname is used instead of fully qualified domain name in sssd.conf, this leads to creation of an empty subdomain.

Reproducer: Join SSSD to child AD domain such as 'WINCHLD.AD.JSTEPHEN' with the following configuration(Parent domain is

domains = winchld


Try to resolve user in joined-to winchld domain and check the subdomains which get created.

[sssm_ad_subdomains_init] (0x2000): Initializing AD subdomains handler
[new_subdomain] (0x0400): Creating [AD.JSTEPHEN] as subdomain of [winchld]!
[ad_subdomains_process] (0x0400): Enabling subdomain WINCHLD.AD.JSTEPHEN
[new_subdomain] (0x0400): Creating [WINCHLD.AD.JSTEPHEN] as subdomain of [winchld]!
[ad_subdomains_refresh_done] (0x0400): Subdomains refreshed.

Downstream(1.13) this fails and leads to confusing log messages in the domain log:

[sdap_search_user_process] (0x0400): Search for users, returned 1 results.
[sdap_get_users_done] (0x0040): Failed to retrieve users

Upstream, the user resolution works because cache_req falls back to trying other domains.

[cache_req_set_domain] (0x0400): CR #0: Using domain [WINCHLD.AD.JSTEPHEN]
[cache_req_select_domains] (0x0400): CR #0: Performing a multi-domain search
[cache_req_set_domain] (0x0400): CR #0: Using domain [winchld]

Thanks for the ticket. Is this request for a downstream version that will stay on 1.13 or for one that will get 1.15 in the next update?

@jhrozek I guess upstream assuming that is the preferred route, the downstream workaround to use the fully-qualified domain name is sufficient for the person who encountered this bug in 1.13

a year ago

Metadata Update from @lslebodn:
- Issue assigned to jstephen

a year ago

Metadata Update from @jstephen:
- Issue status updated to: Closed (was: Open)

Login to comment on this ticket.