Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1659498
Created attachment 1514383 reproducer script, sssd logs, sssd configs Description of problem: After establishing trust between IPA server and AD we need to few for several minutes before we can get result of "id user@ADOMAIN" command. Version-Release number of selected component (if applicable): sssd-common-2.0.0-23.el8.x86_64 How reproducible: Stable Steps to Reproduce: 1. have IPA server and AD server configured and prepared for establishing trust 2. ipa trust-add windows.domain --admin Administrator --type=ad --external=true 3. run "id administrator@windows.domain" 4. repeatedly execute same command for 1-2 minutes Actual results: for about one or two minutes we get "id: ‘administrator@windows.domain’: no such user" and then finally we get user id and group membership Expected results: user id and group membership displayed on first invocation of "id" Additional info: I attach: * reproducer script * output of script run * log files of sssd collected during this run * sssd config files Comment by Jakub Hrozek: For reasons I forgot we renamed all subdomain services to start with the "sd_" prefix: (Thu Dec 13 05:29:20 2018) [sssd[be[testrelm.test]]] [fo_new_service] (0x0400): Creating new service 'sd_ipaad2016.test' But what happens in your environment is that the first lookups fails: (Thu Dec 13 05:29:30 2018) [sssd[be[testrelm.test]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address] (Thu Dec 13 05:29:30 2018) [sssd[be[testrelm.test]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158226](Authentication Failed) And then when we want to re-set the domain status, we use the name without the "sd_" prefix apparently: (Thu Dec 13 05:29:31 2018) [sssd[be[testrelm.test]]] [ipa_srv_ad_acct_retried] (0x0400): Subdomain re-set, will retry lookup (Thu Dec 13 05:29:31 2018) [sssd[be[testrelm.test]]] [be_fo_reset_svc] (0x1000): Resetting all servers in service ipaad2016.test (Thu Dec 13 05:29:31 2018) [sssd[be[testrelm.test]]] [be_fo_reset_svc] (0x0080): Cannot retrieve service [ipaad2016.test] So a domain is not re-set until an internal timeout expires.
Metadata Update from @jhrozek: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1659498
Metadata Update from @jhrozek: - Issue assigned to jhrozek
PR: https://github.com/SSSD/sssd/pull/721
Metadata Update from @jhrozek: - Issue tagged with: PR, bug
Metadata Update from @jhrozek: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 2.1
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4896
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.