#3911 Re-setting the trusted AD domain fails due to wrong subdomain service name being used
Closed: Fixed 6 months ago by jhrozek. Opened 7 months ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1659498

Created attachment 1514383
reproducer script, sssd logs, sssd configs

Description of problem:
After establishing trust between IPA server and AD we need to few for several
minutes before we can get result of "id user@ADOMAIN" command.

Version-Release number of selected component (if applicable):
sssd-common-2.0.0-23.el8.x86_64


How reproducible:
Stable

Steps to Reproduce:
1. have IPA server and AD server configured and prepared for establishing trust
2. ipa trust-add windows.domain --admin Administrator --type=ad --external=true
3. run "id administrator@windows.domain"
4. repeatedly execute same command for 1-2 minutes

Actual results:
for about one or two minutes we get
"id: ‘administrator@windows.domain’: no such user"
and then finally we get user id and group membership

Expected results:
user id and group membership displayed on first invocation of "id"


Additional info:
I attach:
 * reproducer script
 * output of script run
 * log files of sssd collected during this run
 * sssd config files


Comment by Jakub Hrozek:

For reasons I forgot we renamed all subdomain services to start with the
"sd_" prefix:
    (Thu Dec 13 05:29:20 2018) [sssd[be[testrelm.test]]] [fo_new_service]
(0x0400): Creating new service 'sd_ipaad2016.test'

But what happens in your environment is that the first lookups fails:
    (Thu Dec 13 05:29:30 2018) [sssd[be[testrelm.test]]] [sdap_kinit_done]
(0x0100): Could not get TGT: 14 [Bad address]
    (Thu Dec 13 05:29:30 2018) [sssd[be[testrelm.test]]] [sdap_cli_kinit_done]
(0x0400): Cannot get a TGT: ret [1432158226](Authentication Failed)

And then when we want to re-set the domain status, we use the name
without the "sd_" prefix apparently:
    (Thu Dec 13 05:29:31 2018) [sssd[be[testrelm.test]]]
[ipa_srv_ad_acct_retried] (0x0400): Subdomain re-set, will retry lookup
    (Thu Dec 13 05:29:31 2018) [sssd[be[testrelm.test]]] [be_fo_reset_svc]
(0x1000): Resetting all servers in service ipaad2016.test
    (Thu Dec 13 05:29:31 2018) [sssd[be[testrelm.test]]] [be_fo_reset_svc]
(0x0080): Cannot retrieve service [ipaad2016.test]

So a domain is not re-set until an internal timeout expires.

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1659498

7 months ago

Metadata Update from @jhrozek:
- Issue assigned to jhrozek

6 months ago

Metadata Update from @jhrozek:
- Issue tagged with: PR, bug

6 months ago

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

6 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.1

6 months ago

Login to comment on this ticket.

Metadata