On Thu, Mar 05, 2015 at 08:32:32AM +0100, Łukasz Jaworski wrote:
Hello,
I have group issue on sssd 1.8.6 and 1.11.5 (on ubuntu 12.04 and 14.04) and
freeipa4 (freeipa-server-4.1.2-1 on fedora 21, 389-ds-base-1.3.3.8-1).
If user has assigned Role I couldn't get all groups with id command.
All works for users without role/special permissions.
Information about test users from ipa server:
User with role helpdesk:
# ipa user-show test1
User login: test1
Member of groups: testgroup2, testgroup3, ipausers, testgroup4, testgroup1
Roles: helpdesk
User without role:
# ipa user-show test2
User login: test2
Member of groups: testgroup2, ipausers, testgroup4, testgroup1, testgroup3
Information about user on client (ubuntu 12.04):
# id test1
uid=1016(test1) gid=1016(test1) groups=1016(test1)
# id test2
uid=1022(test2) gid=1022(test2)
groups=1022(test2),1014(testgroup4),1012(testgroup3),1011(testgroup2),1004(testgroup1)
(Thu Mar 5 08:23:54 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200):
name 'test1' matched without domain, user is test1
(Thu Mar 5 08:23:54 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200):
using default domain [(null)]
(Thu Mar 5 08:23:54 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [test1] from [ALL]
(Thu Mar 5 08:23:54 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100):
Requesting info for [te...@example.com]
(Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [be_get_account_info]
(0x0100): Got request for [4099][1][name=test1]
(Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain
SID from [(null)]
(Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain
SID from [(null)]
(Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_attrs_get_sid_str]
(0x0080): No [objectSIDString] attribute while id-mapping. [0][Success]
(Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain
SID from [(null)]
(Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_parse_deref]
(0x0080): Dereferenced entry [cn=helpdesk,cn=roles,cn=accounts,dc=example]
has no attributes
This ^^ line tells me it's a known SSSD bug:
https://fedorahosted.org/sssd/ticket/2421
This bug only happens in a combination of old client and a particular
server version.
IIRC a subsequent server update fixed the ACIs on the server so that at
least objectClass was readable. You can also work around the bug on the
client by disabling dereference:
ldap_deref_threshold = 0
btw sssd version 1.8 is quite old and not supported upstream anymore..
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project