#3983 filter_users option is not applied to sub-domains if SSSD starts offline
Closed: Fixed a year ago by jhrozek. Opened a year ago by sbose.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1679173

Description of problem:
IPA/AD trust setup with 'domain_resolution_order' set to prefer AD over IdM
domain. In such a setup we see initgroup calls for root triggering LDAP backend
lookups.

Version-Release number of selected component (if applicable):
sssd-1.16.0-19.el7

How reproducible:
always

Steps to Reproduce:
1.Setup IdM/AD trust
2.Change domain resolution order to prefer the AD domain: 'ipa config-mod
--domain-resolution-order=ad.domain:ipa.domain'
3.Call 'id root'

Actual results:
LDAP lookups for 'root@ad.domain'

Expected results:
No LDAP lookups root 'root@ad.domain'

Additional info:
Adding 'root@ad.domain' to 'filter_users' in sssd.conf 'nss' section mitigates
the issue.

The issue is related to this (already closed) BZ:

id root triggers an LDAP lookup
https://bugzilla.redhat.com/show_bug.cgi?id=1479983

Metadata Update from @sbose:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1679173

a year ago

Metadata Update from @sbose:
- Issue assigned to sbose

a year ago

Commit 640edac relates to this ticket

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a year ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.2
- Issue tagged with: bug

a year ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4955

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata