#3659 sssctl domain-list should not rewrite the confdb.ldb file
Closed: wontfix 2 years ago by pbrezina. Opened 4 years ago by fidencio.

While debugging issue #3658 I have noticed that sssctl domain-list rewrites the confdb.ldb file, which does not seem the right thing to be done.

Here's a reproducer showing the issue:

[root@client ~]# systemctl stop sssd
[root@client ~]# rm -rf /var/lib/sss/db/*
[root@client ~]# systemctl start sssd
[root@client ~]# ldbsearch -H /var/lib/sss/db/config.ldb 
server_sort:Unable to register control with rootdse!
# record 1
dn: cn=sssd,cn=config
cn: sssd
debug_level: 9
domains: ipa.example, domtest, apptest
services: nss, pam, ssh, sudo
distinguishedName: cn=sssd,cn=config

# record 2
dn: cn=config
version: 2
lastUpdate: 1520372218
distinguishedName: cn=config

# record 3
dn: cn=ipa.example,cn=domain,cn=config
access_provider: ipa
auth_provider: ipa
cache_credentials: True
chpass_provider: ipa
cn: ipa.example
id_provider: ipa
ipa_domain: ipa.example
ipa_hostname: client.ipa.example
ipa_server: _srv_, master.ipa.example
krb5_store_password_if_offline: True
ldap_tls_cacert: /etc/ipa/ca.crt
distinguishedName: cn=ipa.example,cn=domain,cn=config

# record 4
dn: cn=nss,cn=config
cn: nss
debug_level: 9
homedir_substring: /home
distinguishedName: cn=nss,cn=config

# record 5
dn: cn=apptest,cn=domain,cn=config
cn: apptest
domain_type: application
id_provider: ldap
ldap_search_base: dc=example,dc=com
ldap_uri: ldap://ldap.example.com
debug_level: 9
inherit_from: domtest
distinguishedName: cn=apptest,cn=domain,cn=config

# record 6
dn: cn=domtest,cn=domain,cn=config
cn: domtest
id_provider: ldap
ldap_search_base: dc=example,dc=com
ldap_uri: ldap://ldap.example.com
distinguishedName: cn=domtest,cn=domain,cn=config

# record 7
dn: cn=sudo,cn=config
cn: sudo
distinguishedName: cn=sudo,cn=config

# record 8
dn: cn=ssh,cn=config
cn: ssh
distinguishedName: cn=ssh,cn=config

# record 9
dn: cn=autofs,cn=config
cn: autofs
distinguishedName: cn=autofs,cn=config

# record 10
dn: cn=ifp,cn=config
cn: ifp
distinguishedName: cn=ifp,cn=config

# record 11
dn: cn=secrets,cn=config
cn: secrets
distinguishedName: cn=secrets,cn=config

# record 12
dn: cn=pac,cn=config
cn: pac
distinguishedName: cn=pac,cn=config

# record 13
dn: cn=pam,cn=config
cn: pam
distinguishedName: cn=pam,cn=config

# record 14
dn: cn=apptest,cn=application,cn=config
cn: apptest
debug_level: 9
inherit_from: domtest
distinguishedName: cn=apptest,cn=application,cn=config

# record 15
dn: cn=session_recording,cn=config
cn: session_recording
distinguishedName: cn=session_recording,cn=config

# returned 15 records
# 15 entries
# 0 referrals
[root@client ~]# sssctl domain-list
(Wed Mar  7 10:30:24:077373 2018) [sssd] [confdb_get_domain_internal] (0x0010): Unknown domain [apptest]
(Wed Mar  7 10:30:24:077448 2018) [sssd] [confdb_get_domains] (0x0010): Error (2 [No such file or directory]) retrieving domain [apptest], skipping!
ipa.example
domtest
[root@client ~]# ldbsearch -H /var/lib/sss/db/config.ldb 
server_sort:Unable to register control with rootdse!
# record 1
dn: cn=sssd,cn=config
cn: sssd
debug_level: 9
domains: ipa.example, domtest, apptest
services: nss, pam, ssh, sudo
distinguishedName: cn=sssd,cn=config

# record 2
dn: cn=config
version: 2
lastUpdate: 1520372218
distinguishedName: cn=config

# record 3
dn: cn=ipa.example,cn=domain,cn=config
access_provider: ipa
auth_provider: ipa
cache_credentials: True
chpass_provider: ipa
cn: ipa.example
id_provider: ipa
ipa_domain: ipa.example
ipa_hostname: client.ipa.example
ipa_server: _srv_, master.ipa.example
krb5_store_password_if_offline: True
ldap_tls_cacert: /etc/ipa/ca.crt
distinguishedName: cn=ipa.example,cn=domain,cn=config

# record 4
dn: cn=nss,cn=config
cn: nss
debug_level: 9
homedir_substring: /home
distinguishedName: cn=nss,cn=config

# record 5
dn: cn=domtest,cn=domain,cn=config
cn: domtest
id_provider: ldap
ldap_search_base: dc=example,dc=com
ldap_uri: ldap://ldap.example.com
distinguishedName: cn=domtest,cn=domain,cn=config

# record 6
dn: cn=sudo,cn=config
cn: sudo
distinguishedName: cn=sudo,cn=config

# record 7
dn: cn=ssh,cn=config
cn: ssh
distinguishedName: cn=ssh,cn=config

# record 8
dn: cn=autofs,cn=config
cn: autofs
distinguishedName: cn=autofs,cn=config

# record 9
dn: cn=ifp,cn=config
cn: ifp
distinguishedName: cn=ifp,cn=config

# record 10
dn: cn=secrets,cn=config
cn: secrets
distinguishedName: cn=secrets,cn=config

# record 11
dn: cn=pac,cn=config
cn: pac
distinguishedName: cn=pac,cn=config

# record 12
dn: cn=pam,cn=config
cn: pam
distinguishedName: cn=pam,cn=config

# record 13
dn: cn=apptest,cn=application,cn=config
cn: apptest
debug_level: 9
inherit_from: domtest
distinguishedName: cn=apptest,cn=application,cn=config

# record 14
dn: cn=session_recording,cn=config
cn: session_recording
distinguishedName: cn=session_recording,cn=config

# returned 14 records
# 14 entries
# 0 referrals

This looks like the root cause of the issue #3658 but as I'm not sure whether it's the intended behavior or not I took the path to open this new issue and have the outcome of the discussion recorded.


Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.0

4 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.1 (was: SSSD 2.0)

3 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.2 (was: SSSD 2.1)

3 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.3 (was: SSSD 2.2)

2 years ago

Metadata Update from @thalman:
- Issue tagged with: Canditate to close

2 years ago

Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfill this request I am closing the issue as wontfix.

If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.

Thank you for understanding.

Metadata Update from @pbrezina:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

2 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4679

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata