#3983 filter_users option is not applied to sub-domains if SSSD starts offline
Closed: Fixed 3 years ago by jhrozek. Opened 3 years ago by sbose.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1679173

Description of problem:
IPA/AD trust setup with 'domain_resolution_order' set to prefer AD over IdM
domain. In such a setup we see initgroup calls for root triggering LDAP backend

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Setup IdM/AD trust
2.Change domain resolution order to prefer the AD domain: 'ipa config-mod
3.Call 'id root'

Actual results:
LDAP lookups for 'root@ad.domain'

Expected results:
No LDAP lookups root 'root@ad.domain'

Additional info:
Adding 'root@ad.domain' to 'filter_users' in sssd.conf 'nss' section mitigates
the issue.

The issue is related to this (already closed) BZ:

id root triggers an LDAP lookup

Metadata Update from @sbose:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1679173

3 years ago

Metadata Update from @sbose:
- Issue assigned to sbose

3 years ago

Commit 640edac relates to this ticket

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.2
- Issue tagged with: bug

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4955

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.