Learn more about these different git repos.
Other Git URLs
In an effort to simplify the login process we use SSSD 1.16 (1.16.04 el7 copr) with the "domain_resolution_order" parameter to utilize shortnames in an IPA/AD environment. We found an issue, not present in SSSD 1.15, in combination with the Oracle Sqlplus binary. This binary relies upon the OS to determine the authenticated user by translating the UID of the current user to a username. It seems this binary is no longer able to translate the UID from a getuid() call to a username for domain accounts handled by SSSD with SSSD 1.16.
From what I can gather in sqlplus strace's the SSSD 1.15 workflow is as follows: getuid() read(/etc/passwd) # no match read(/var/lib/sss/mc/passwd) # match for fully_qualified_username
getuid()
read(/etc/passwd) # no match
read(/var/lib/sss/mc/passwd) # match for fully_qualified_username
With SSSD 1.16 this is reduced to: getuid() read(/etc/passwd) # no match
For some reason the (binary?) /var/lib/sss/mc/passwd is no longer read. The nsswitch config is the same for both 1.15 and 1.16. Ideally the Sqlplus binary would be able to resolve the UID to the shortname of the domain user. It sure seems like the shortname is in the /var/lib/sss/mc/passwd file, it just isn't read at all between releases.
In worst case, it should be
getuid() read(/etc/passwd) # no match read(/var/lib/sss/mc/passwd) # no match open(/var/lib/sss/pipes/nss) # communicate with sssd_nss over unix socet and return user
Could you check strace and compare where is a difference? Is there anything in sssd_nss.log after increasjng debug_level in [nss] section?
sssd_nss.log
[nss]
I added debugging at the 0x4000 level but got no [nss] loglines when running the Oracle sqlplus binary.
I can not spot a difference in the strace right away. Right before it seems to walk the */passwd files it opened the nsswitch.conf config and /lib/libnss_files.so.2 library. Checksums of these files match on both instances of 1.15 and 1.16. On second note. A difference seems to be that the working instance (1.15) opens /lib64/libnss_files.so.2 while 1.16 opens /lib/libnss_files.so.2. In both cases a x64 sssd daemon is running.
nsswitch.conf
/lib/libnss_files.so.2
/lib64/libnss_files.so.2
I can provide a complete strace but would need notice to clear any sensitive details.
I the sqlplus binary you use a 64 or 32bit application?
file /path/to/sqlplus
should tell you.
If it is a 32bit application running on the 64bit system you have to install the 32bit version of the sssd-client package as well.
HTH
bye, Sumit
Since there was no reply for about two weeks, I'm closing the ticket. Please reopen if the suggestion didn't help.
Metadata Update from @jhrozek: - Issue close_status updated to: worksforme - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4669
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.