SSSD fails to filter out the child domain it is connected to when domain flatname is used instead of fully qualified domain name in sssd.conf, this leads to creation of an empty subdomain.
Reproducer: Join SSSD to child AD domain such as 'WINCHLD.AD.JSTEPHEN' with the following configuration(Parent domain is
domains = winchld
ad_domain = WINCHLD.AD.JSTEPHEN
krb5_realm = WINCHLD.AD.JSTEPHEN
Try to resolve user in joined-to winchld domain and check the subdomains which get created.
[sssm_ad_subdomains_init] (0x2000): Initializing AD subdomains handler
[new_subdomain] (0x0400): Creating [AD.JSTEPHEN] as subdomain of [winchld]!
[ad_subdomains_process] (0x0400): Enabling subdomain WINCHLD.AD.JSTEPHEN
[new_subdomain] (0x0400): Creating [WINCHLD.AD.JSTEPHEN] as subdomain of [winchld]!
[ad_subdomains_refresh_done] (0x0400): Subdomains refreshed.
Downstream(1.13) this fails and leads to confusing log messages in the domain log:
[sdap_search_user_process] (0x0400): Search for users, returned 1 results.
[sdap_get_users_done] (0x0040): Failed to retrieve users
Upstream, the user resolution works because cache_req falls back to trying other domains.
[cache_req_set_domain] (0x0400): CR #0: Using domain [WINCHLD.AD.JSTEPHEN]
[cache_req_select_domains] (0x0400): CR #0: Performing a multi-domain search
[cache_req_set_domain] (0x0400): CR #0: Using domain [winchld]
Thanks for the ticket. Is this request for a downstream version that will stay on 1.13 or for one that will get 1.15 in the next update?
@jhrozek I guess upstream assuming that is the preferred route, the downstream workaround to use the fully-qualified domain name is sufficient for the person who encountered this bug in 1.13
Metadata Update from @lslebodn:
- Issue assigned to jstephen
to comment on this ticket.
Copyright © 2014-2017 Red Hat
2.14.2 — Documentation