subject:"Re\: \[Freeipa\-users\] group issue \(freeipa4\)"

Re: [Freeipa-users] group issue (freeipa4)

2015-03-05 Thread Jakub Hrozek

On Thu, Mar 05, 2015 at 08:32:32AM +0100, Łukasz Jaworski wrote:
 Hello,
 
 I have group issue on sssd 1.8.6 and 1.11.5 (on ubuntu 12.04 and 14.04) and 
 freeipa4 (freeipa-server-4.1.2-1 on fedora 21, 389-ds-base-1.3.3.8-1).
 
 If user has assigned Role I couldn't get all groups with id command.
 All works for users without role/special permissions.
 
 Information about test users from ipa server:
 
 User with role helpdesk:
 # ipa user-show test1
   User login: test1
   Member of groups: testgroup2, testgroup3, ipausers, testgroup4, testgroup1
   Roles: helpdesk
 
 User without role:
 # ipa user-show test2
   User login: test2
   Member of groups: testgroup2, ipausers, testgroup4, testgroup1, testgroup3
 
 Information about user on client (ubuntu 12.04):
 
 # id test1
 uid=1016(test1) gid=1016(test1) groups=1016(test1)
 
 # id test2
 uid=1022(test2) gid=1022(test2) 
 groups=1022(test2),1014(testgroup4),1012(testgroup3),1011(testgroup2),1004(testgroup1)
 
 
 (Thu Mar  5 08:23:54 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): 
 name 'test1' matched without domain, user is test1
 (Thu Mar  5 08:23:54 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): 
 using default domain [(null)]
 (Thu Mar  5 08:23:54 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): 
 Requesting info for [test1] from [ALL]
 (Thu Mar  5 08:23:54 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): 
 Requesting info for [te...@example.com]
 (Thu Mar  5 08:23:54 2015) [sssd[be[example.com]]] [be_get_account_info] 
 (0x0100): Got request for [4099][1][name=test1]
 (Thu Mar  5 08:23:54 2015) [sssd[be[example.com]]] 
 [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain 
 SID from [(null)]
 (Thu Mar  5 08:23:54 2015) [sssd[be[example.com]]] 
 [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain 
 SID from [(null)]
 (Thu Mar  5 08:23:54 2015) [sssd[be[example.com]]] [sdap_attrs_get_sid_str] 
 (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success]
 (Thu Mar  5 08:23:54 2015) [sssd[be[example.com]]] 
 [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain 
 SID from [(null)]
 (Thu Mar  5 08:23:54 2015) [sssd[be[example.com]]] [sdap_parse_deref] 
 (0x0080): Dereferenced entry [cn=helpdesk,cn=roles,cn=accounts,dc=example] 
 has no attributes

This ^^ line tells me it's a known SSSD bug:
https://fedorahosted.org/sssd/ticket/2421

This bug only happens in a combination of old client and a particular
server version.

IIRC a subsequent server update fixed the ACIs on the server so that at
least objectClass was readable. You can also work around the bug on the
client by disabling dereference:
ldap_deref_threshold = 0

btw sssd version 1.8 is quite old and not supported upstream anymore..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] group issue (freeipa4)

2015-03-05 Thread Jakub Hrozek

On Thu, Mar 05, 2015 at 10:22:35AM +0100, Łukasz Jaworski wrote:
  This ^^ line tells me it's a known SSSD bug:
 https://fedorahosted.org/sssd/ticket/2421
  
  This bug only happens in a combination of old client and a particular
  server version.
  
  IIRC a subsequent server update fixed the ACIs on the server so that at
  least objectClass was readable. You can also work around the bug on the
  client by disabling dereference:
 ldap_deref_threshold = 0
  
  btw sssd version 1.8 is quite old and not supported upstream anymore..
 
 Thx.
 
 We will switch to newer version sssd.
 
 Best regards,
 Ender

You can also open a bug against Ubuntu and ask them to backport the fix
for #2421, it should be doable (but I haven't tried, really..)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] group issue (freeipa4)

2015-03-05 Thread Łukasz Jaworski

 This ^^ line tells me it's a known SSSD bug:
https://fedorahosted.org/sssd/ticket/2421
 
 This bug only happens in a combination of old client and a particular
 server version.
 
 IIRC a subsequent server update fixed the ACIs on the server so that at
 least objectClass was readable. You can also work around the bug on the
 client by disabling dereference:
ldap_deref_threshold = 0
 
 btw sssd version 1.8 is quite old and not supported upstream anymore..

Thx.

We will switch to newer version sssd.

Best regards,
Ender
-- 
Łukasz Jaworski


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] group issue (freeipa4)

Re: [Freeipa-users] group issue (freeipa4)

Re: [Freeipa-users] group issue (freeipa4)

3 matches

Site Navigation

Mail list logo

Footer information