Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla: Bug 1530741
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: I am unsure if this is a IPA, SSSD, or documentation bug but in an IPA - AD Trust environment disabling a trusted AD domain with 'ipa trustdomain-disable' does not prevent trusted AD users from logging in with SSSD. If this is expected behavior, please clarify the use of 'ipa trustdomain-disable' for Red Hat customers. From the ipa help, it is not exactly clear what this means - 'Disable use of IPA resources by the domain of the trust' Also, ideally SSSD would ignore these disabled domains to improve non-cached lookup speed/performance of AD objects in environments with many domains. The current behavior end-result is that customers are disabling domains they do not need to resolve AD objects from, but it is not making any noticeable changes unless the trusted domains are removed completely with 'ipa trustdomain-del'. Version-Release number of selected component (if applicable): IPA Server 4.5 SSSD 1.15 How reproducible: Always Steps to Reproduce: 1. Disable trusted AD domain with ipa trustdomain-disable 2. Restart SSSD and clear SSSD cache 3. Attempt to login with trusted AD domain user Actual results: Login succeeds Expected results: Would expect login to fail Additional info: This impacts customers establishing IPA - AD trusts with AD forest root containing a large number of domains
Metadata Update from @sbose: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1530741
Metadata Update from @sbose: - Issue assigned to sbose
PR: https://github.com/SSSD/sssd/pull/884
Metadata Update from @sbose: - Custom field patch adjusted to on
Commit fa3e53b relates to this ticket
Commit b12e7a4 relates to this ticket
Commit 13297b8 relates to this ticket
Commit 3c871a3 relates to this ticket
Commit 2e16148 relates to this ticket
master
sssd-1-16
Metadata Update from @pbrezina: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
This commit introduces coverity error (compiler warning):
Error: COMPILER_WARNING: sssd-2.2.3/src/providers/ipa/ipa_s2n_exop.c: scope_hint: In function 's2n_response_to_attrs' sssd-2.2.3/src/providers/ipa/ipa_s2n_exop.c:665:20: warning: 'gc' may be used uninitialized in this function [-Wmaybe-uninitialized] # attrs->ngroups = gc; # ~~~~~~~~~~~~~~~^~~~ sssd-2.2.3/src/providers/ipa/ipa_s2n_exop.c:566:15: note: 'gc' was declared here # size_t c, gc; # ^~ # 663| } # 664| } # 665|-> attrs->ngroups = gc; # 666| # 667| tag = ber_peek_tag(ber, &ber_len);
Metadata Update from @atikhonov: - Issue status updated to: Open (was: Closed)
@atikhonov, thanks, would you like to send a PR to fix this?
ok, I will.
PR: https://github.com/SSSD/sssd/pull/890
Commit 39e16cc relates to this ticket
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/5044
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.