#3706 Hide debug message domain not found for well known sid
Closed: Fixed 2 years ago Opened 2 years ago by pbrezina.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1565761

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
Some SID which are well known & static should not be lookup in AD example https
://support.microsoft.com/en-in/help/243330/well-known-security-identifiers-in-w
indows-operating-systems

lookups of these well-known SIDs should not be necessary (due to the static
nature, the data could be buillt-on for faster lookups)

We see entries like

[sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID
S-1-5-32-573

Grep for identical entries reveals the full list of well-known SIDs with logs
entries as follows:

  S-1-5-32-545
  S-1-5-32-548
  S-1-5-32-549
  S-1-5-32-550
  S-1-5-32-551
  S-1-5-32-555
  S-1-5-32-573

Looks this code will fix the issue:
sdap_ad_save_group_membership_with_idmapping(){ ./src/providers/ldap/sdap_async_initgroups_ad.c
const char domptr;
const char
nameptr;
if(well_known_sid_to_name(sid,&domptr, &nameptr) != EOK){ <<<<<<<
domain = sss_get_domain_by_sid_ldap_fallback(user_dom, sid);
if (domain == NULL) {
DEBUG(SSSDBG_MINOR_FAILURE, "Domain not found for SID %s\n", sid);
continue;
}
} <<<<<<<
}

But need to test it.

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.2
- Issue tagged with: easyfix

2 years ago

@amitkumar25nov yes, I think something like this, although I think it might be better to only call the well_known function in the fail handler to avoid printing the debug message, otherwise we would convert the sid to name needlessly.

It might be cleanest to add is_well_known_sid function, but I'm not sure if it's worth extending the API because of this single use-case..

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1565761

2 years ago

Metadata Update from @jhrozek:
- Issue tagged with: PR, bug

2 years ago

Metadata Update from @jhrozek:
- Issue assigned to jhrozek

2 years ago

Metadata Update from @jhrozek:
- Issue priority set to: minor

2 years ago

Metadata Update from @fidencio:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4720

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata