#3902 SSSD must be cleared/restarted periodically in order to retrieve AD users through IPA Trust
Closed: Fixed 6 months ago Opened 6 months ago by sbose.

Ticket was cloned from Red Hat Bugzilla: Bug 1651812

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
SSSD must be cleared/restarted periodically in order to retrieve AD users
through IPA Trust

Version-Release number of selected component (if applicable):
sssd-1.16.2-13.el7.x86_64         Sat Nov 17 00:42:26 2018
ipa-server-4.6.4-10.el7.x86_64    Sat Nov 17 00:42:51 2018

How reproducible:
Sporadically (not on a schedule)

Steps to Reproduce:
1. Set up IPA with the above-mentioned packages and establish a Trust with AD
2. Wait a while (undetermined time, trying to clarify this)

Actual results:
At times, AD users can't be found.

Expected results:
All AD users to be found consistently


Additional info:

1) The IPA servers having these issues have been configured as Trust
Controllers.  All testing has been performed on IPA Servers, not Clients.

2) The AD users that don't get retrieved have the same properties as users that
don't disappear:

Metadata Update from @sbose:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1651812

6 months ago

The reason for the issue is two-fold.

First, each trusted AD domain has a failover context for the global catalog. This is expected but only one should be used since all global catalogs have the same content it is sufficient to have one connection. In the AD provider the context of the configured domain is used. In the IPA provider there is currently no dedicated context but all can be used.

Second, the fix for #3015 is wrong by giving the same name to all global catalog failover contexts. As a result is a global catalog is looked up the data of the selected global catalog will override the context data for each domain which includes data about the LDAP connection as well. Since all contexts can be used there is the chance that during a request an LDAP lookup might be run against a DC of a different domain. As a result the object is not found and deleted from SSSD's cache.

To fix this the fix for #3015 should be reverted and the IPA provider should use a dedicated failover context for the global catalog, the context related to the forest root domain seems to be the most obvious.

Metadata Update from @sbose:
- Issue assigned to sbose

6 months ago

Commit 62d671b relates to this ticket

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

6 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.1

6 months ago

Login to comment on this ticket.