Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1684979
Description of problem: In some situations we recommend "ldap_deref_threshold=0" setting for sssd for performance enhancement. This setting when applied breaks ssh access to IdM clients, as it seems sssd's HBAC code doesn't work when de-reference is disabled. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. enroll a machine to and IdM domain 2. set "ldap_deref_threshold=0" in sssd.conf and restart sssd 3. try to ssh to this machine Actual results: SSH access fails and errors similar to the below is captured on sssd debug logs: ~~~ (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [fqdn] (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [serverHostname] (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSshPubKey] (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55a082395c50], connected[1], ops[0x55a0823cfab0], ldap[0x55a08238ae60] (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_op_destructor] (0x2000): Operation 28 finished (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [ipa_host_info_done] (0x0020): Server does not support deref (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [ipa_pam_access_handler_done] (0x0020): Unable to fetch rules [5]: Input/output error (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [dp_req_done] (0x0400): DP Request [PAM Account #7]: Request handler finished [0]: Success (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [_dp_req_recv] (0x0400): DP Request [PAM Account #7]: Receiving request data. (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [dp_req_destructor] (0x0400): DP Request [PAM Account #7]: Request removed. (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [dp_pam_reply] (0x1000): DP Request [PAM Account #7]: Sending result [4][example.com] (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x55a082395c50], connected[1], ops[(nil)], ldap[0x55a08238ae60] (Sun Feb 24 14:27:03 2019) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list ~~~ Expected results: SSH access works fine (honoring HBAC rules) while derefrence control is set to zero. Additional info:
Metadata Update from @jhrozek: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1684979
PR: https://github.com/SSSD/sssd/pull/773
Metadata Update from @jhrozek: - Issue assigned to jhrozek
Metadata Update from @jhrozek: - Issue tagged with: PR, bug
Metadata Update from @jhrozek: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1684979, https://bugzilla.redhat.com/show_bug.cgi?id=1684981 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1684979)
Issue linked to Bugzilla: Bug 1684981
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 2.2
Metadata Update from @jhrozek: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4951
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.