Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla: Bug 1651812
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: SSSD must be cleared/restarted periodically in order to retrieve AD users through IPA Trust Version-Release number of selected component (if applicable): sssd-1.16.2-13.el7.x86_64 Sat Nov 17 00:42:26 2018 ipa-server-4.6.4-10.el7.x86_64 Sat Nov 17 00:42:51 2018 How reproducible: Sporadically (not on a schedule) Steps to Reproduce: 1. Set up IPA with the above-mentioned packages and establish a Trust with AD 2. Wait a while (undetermined time, trying to clarify this) Actual results: At times, AD users can't be found. Expected results: All AD users to be found consistently ___________________________________________________ Additional info: 1) The IPA servers having these issues have been configured as Trust Controllers. All testing has been performed on IPA Servers, not Clients. 2) The AD users that don't get retrieved have the same properties as users that don't disappear:
Metadata Update from @sbose: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1651812
The reason for the issue is two-fold.
First, each trusted AD domain has a failover context for the global catalog. This is expected but only one should be used since all global catalogs have the same content it is sufficient to have one connection. In the AD provider the context of the configured domain is used. In the IPA provider there is currently no dedicated context but all can be used.
Second, the fix for #3015 is wrong by giving the same name to all global catalog failover contexts. As a result is a global catalog is looked up the data of the selected global catalog will override the context data for each domain which includes data about the LDAP connection as well. Since all contexts can be used there is the chance that during a request an LDAP lookup might be run against a DC of a different domain. As a result the object is not found and deleted from SSSD's cache.
To fix this the fix for #3015 should be reverted and the IPA provider should use a dedicated failover context for the global catalog, the context related to the forest root domain seems to be the most obvious.
Metadata Update from @sbose: - Issue assigned to sbose
https://github.com/SSSD/sssd/pull/711
Commit 62d671b relates to this ticket
Metadata Update from @jhrozek: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 2.1
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4887
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.