#3659 sssctl domain-list should not rewrite the confdb.ldb file

Created 2 months ago by fidencio
Modified 2 months ago

While debugging issue #3658 I have noticed that sssctl domain-list rewrites the confdb.ldb file, which does not seem the right thing to be done.

Here's a reproducer showing the issue:

[root@client ~]# systemctl stop sssd
[root@client ~]# rm -rf /var/lib/sss/db/*
[root@client ~]# systemctl start sssd
[root@client ~]# ldbsearch -H /var/lib/sss/db/config.ldb 
server_sort:Unable to register control with rootdse!
# record 1
dn: cn=sssd,cn=config
cn: sssd
debug_level: 9
domains: ipa.example, domtest, apptest
services: nss, pam, ssh, sudo
distinguishedName: cn=sssd,cn=config

# record 2
dn: cn=config
version: 2
lastUpdate: 1520372218
distinguishedName: cn=config

# record 3
dn: cn=ipa.example,cn=domain,cn=config
access_provider: ipa
auth_provider: ipa
cache_credentials: True
chpass_provider: ipa
cn: ipa.example
id_provider: ipa
ipa_domain: ipa.example
ipa_hostname: client.ipa.example
ipa_server: _srv_, master.ipa.example
krb5_store_password_if_offline: True
ldap_tls_cacert: /etc/ipa/ca.crt
distinguishedName: cn=ipa.example,cn=domain,cn=config

# record 4
dn: cn=nss,cn=config
cn: nss
debug_level: 9
homedir_substring: /home
distinguishedName: cn=nss,cn=config

# record 5
dn: cn=apptest,cn=domain,cn=config
cn: apptest
domain_type: application
id_provider: ldap
ldap_search_base: dc=example,dc=com
ldap_uri: ldap://ldap.example.com
debug_level: 9
inherit_from: domtest
distinguishedName: cn=apptest,cn=domain,cn=config

# record 6
dn: cn=domtest,cn=domain,cn=config
cn: domtest
id_provider: ldap
ldap_search_base: dc=example,dc=com
ldap_uri: ldap://ldap.example.com
distinguishedName: cn=domtest,cn=domain,cn=config

# record 7
dn: cn=sudo,cn=config
cn: sudo
distinguishedName: cn=sudo,cn=config

# record 8
dn: cn=ssh,cn=config
cn: ssh
distinguishedName: cn=ssh,cn=config

# record 9
dn: cn=autofs,cn=config
cn: autofs
distinguishedName: cn=autofs,cn=config

# record 10
dn: cn=ifp,cn=config
cn: ifp
distinguishedName: cn=ifp,cn=config

# record 11
dn: cn=secrets,cn=config
cn: secrets
distinguishedName: cn=secrets,cn=config

# record 12
dn: cn=pac,cn=config
cn: pac
distinguishedName: cn=pac,cn=config

# record 13
dn: cn=pam,cn=config
cn: pam
distinguishedName: cn=pam,cn=config

# record 14
dn: cn=apptest,cn=application,cn=config
cn: apptest
debug_level: 9
inherit_from: domtest
distinguishedName: cn=apptest,cn=application,cn=config

# record 15
dn: cn=session_recording,cn=config
cn: session_recording
distinguishedName: cn=session_recording,cn=config

# returned 15 records
# 15 entries
# 0 referrals
[root@client ~]# sssctl domain-list
(Wed Mar  7 10:30:24:077373 2018) [sssd] [confdb_get_domain_internal] (0x0010): Unknown domain [apptest]
(Wed Mar  7 10:30:24:077448 2018) [sssd] [confdb_get_domains] (0x0010): Error (2 [No such file or directory]) retrieving domain [apptest], skipping!
ipa.example
domtest
[root@client ~]# ldbsearch -H /var/lib/sss/db/config.ldb 
server_sort:Unable to register control with rootdse!
# record 1
dn: cn=sssd,cn=config
cn: sssd
debug_level: 9
domains: ipa.example, domtest, apptest
services: nss, pam, ssh, sudo
distinguishedName: cn=sssd,cn=config

# record 2
dn: cn=config
version: 2
lastUpdate: 1520372218
distinguishedName: cn=config

# record 3
dn: cn=ipa.example,cn=domain,cn=config
access_provider: ipa
auth_provider: ipa
cache_credentials: True
chpass_provider: ipa
cn: ipa.example
id_provider: ipa
ipa_domain: ipa.example
ipa_hostname: client.ipa.example
ipa_server: _srv_, master.ipa.example
krb5_store_password_if_offline: True
ldap_tls_cacert: /etc/ipa/ca.crt
distinguishedName: cn=ipa.example,cn=domain,cn=config

# record 4
dn: cn=nss,cn=config
cn: nss
debug_level: 9
homedir_substring: /home
distinguishedName: cn=nss,cn=config

# record 5
dn: cn=domtest,cn=domain,cn=config
cn: domtest
id_provider: ldap
ldap_search_base: dc=example,dc=com
ldap_uri: ldap://ldap.example.com
distinguishedName: cn=domtest,cn=domain,cn=config

# record 6
dn: cn=sudo,cn=config
cn: sudo
distinguishedName: cn=sudo,cn=config

# record 7
dn: cn=ssh,cn=config
cn: ssh
distinguishedName: cn=ssh,cn=config

# record 8
dn: cn=autofs,cn=config
cn: autofs
distinguishedName: cn=autofs,cn=config

# record 9
dn: cn=ifp,cn=config
cn: ifp
distinguishedName: cn=ifp,cn=config

# record 10
dn: cn=secrets,cn=config
cn: secrets
distinguishedName: cn=secrets,cn=config

# record 11
dn: cn=pac,cn=config
cn: pac
distinguishedName: cn=pac,cn=config

# record 12
dn: cn=pam,cn=config
cn: pam
distinguishedName: cn=pam,cn=config

# record 13
dn: cn=apptest,cn=application,cn=config
cn: apptest
debug_level: 9
inherit_from: domtest
distinguishedName: cn=apptest,cn=application,cn=config

# record 14
dn: cn=session_recording,cn=config
cn: session_recording
distinguishedName: cn=session_recording,cn=config

# returned 14 records
# 14 entries
# 0 referrals

This looks like the root cause of the issue #3658 but as I'm not sure whether it's the intended behavior or not I took the path to open this new issue and have the outcome of the discussion recorded.

2 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.0

Login to comment on this ticket.

cancel