Re: [Freeipa-users] group issue (freeipa4)
On Thu, Mar 05, 2015 at 10:22:35AM +0100, Łukasz Jaworski wrote: > > This ^^ line tells me it's a known SSSD bug: > >https://fedorahosted.org/sssd/ticket/2421 > > > > This bug only happens in a combination of old client and a particular > > server version. > > > > IIRC a subsequent server update fixed the ACIs on the server so that at > > least objectClass was readable. You can also work around the bug on the > > client by disabling dereference: > >ldap_deref_threshold = 0 > > > > btw sssd version 1.8 is quite old and not supported upstream anymore.. > > Thx. > > We will switch to newer version sssd. > > Best regards, > Ender You can also open a bug against Ubuntu and ask them to backport the fix for #2421, it should be doable (but I haven't tried, really..) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] group issue (freeipa4)
> This ^^ line tells me it's a known SSSD bug: >https://fedorahosted.org/sssd/ticket/2421 > > This bug only happens in a combination of old client and a particular > server version. > > IIRC a subsequent server update fixed the ACIs on the server so that at > least objectClass was readable. You can also work around the bug on the > client by disabling dereference: >ldap_deref_threshold = 0 > > btw sssd version 1.8 is quite old and not supported upstream anymore.. Thx. We will switch to newer version sssd. Best regards, Ender -- Łukasz Jaworski -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] group issue (freeipa4)
On Thu, Mar 05, 2015 at 08:32:32AM +0100, Łukasz Jaworski wrote: > Hello, > > I have group issue on sssd 1.8.6 and 1.11.5 (on ubuntu 12.04 and 14.04) and > freeipa4 (freeipa-server-4.1.2-1 on fedora 21, 389-ds-base-1.3.3.8-1). > > If user has assigned Role I couldn't get all groups with "id" command. > All works for users without role/special permissions. > > Information about test users from ipa server: > > User with role helpdesk: > # ipa user-show test1 > User login: test1 > Member of groups: testgroup2, testgroup3, ipausers, testgroup4, testgroup1 > Roles: helpdesk > > User without role: > # ipa user-show test2 > User login: test2 > Member of groups: testgroup2, ipausers, testgroup4, testgroup1, testgroup3 > > Information about user on client (ubuntu 12.04): > > # id test1 > uid=1016(test1) gid=1016(test1) groups=1016(test1) > > # id test2 > uid=1022(test2) gid=1022(test2) > groups=1022(test2),1014(testgroup4),1012(testgroup3),1011(testgroup2),1004(testgroup1) > > > (Thu Mar 5 08:23:54 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): > name 'test1' matched without domain, user is test1 > (Thu Mar 5 08:23:54 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): > using default domain [(null)] > (Thu Mar 5 08:23:54 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): > Requesting info for [test1] from [] > (Thu Mar 5 08:23:54 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): > Requesting info for [te...@example.com] > (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [be_get_account_info] > (0x0100): Got request for [4099][1][name=test1] > (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain > SID from [(null)] > (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain > SID from [(null)] > (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_attrs_get_sid_str] > (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] > (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] > [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain > SID from [(null)] > (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_parse_deref] > (0x0080): Dereferenced entry [cn=helpdesk,cn=roles,cn=accounts,dc=example] > has no attributes This ^^ line tells me it's a known SSSD bug: https://fedorahosted.org/sssd/ticket/2421 This bug only happens in a combination of old client and a particular server version. IIRC a subsequent server update fixed the ACIs on the server so that at least objectClass was readable. You can also work around the bug on the client by disabling dereference: ldap_deref_threshold = 0 btw sssd version 1.8 is quite old and not supported upstream anymore.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] group issue (freeipa4)
Hello, I have group issue on sssd 1.8.6 and 1.11.5 (on ubuntu 12.04 and 14.04) and freeipa4 (freeipa-server-4.1.2-1 on fedora 21, 389-ds-base-1.3.3.8-1). If user has assigned Role I couldn't get all groups with "id" command. All works for users without role/special permissions. Information about test users from ipa server: User with role helpdesk: # ipa user-show test1 User login: test1 Member of groups: testgroup2, testgroup3, ipausers, testgroup4, testgroup1 Roles: helpdesk User without role: # ipa user-show test2 User login: test2 Member of groups: testgroup2, ipausers, testgroup4, testgroup1, testgroup3 Information about user on client (ubuntu 12.04): # id test1 uid=1016(test1) gid=1016(test1) groups=1016(test1) # id test2 uid=1022(test2) gid=1022(test2) groups=1022(test2),1014(testgroup4),1012(testgroup3),1011(testgroup2),1004(testgroup1) (Thu Mar 5 08:23:54 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'test1' matched without domain, user is test1 (Thu Mar 5 08:23:54 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Thu Mar 5 08:23:54 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test1] from [] (Thu Mar 5 08:23:54 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [te...@example.com] (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=test1] (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_parse_deref] (0x0080): Dereferenced entry [cn=helpdesk,cn=roles,cn=accounts,dc=example] has no attributes (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_x_deref_parse_entry] (0x0040): sdap_parse_deref failed [22]: Invalid argument (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_get_generic_ext_done] (0x0020): reply parsing callback failed. (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_x_deref_search_done] (0x0100): sdap_get_generic_ext_recv failed [22]: Invalid argument (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_deref_search_done] (0x0040): dereference processing failed [22]: Invalid argument (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,22,Init group lookup failed (Thu Mar 5 08:23:54 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 22, Init group lookup failed Will try to return what we have in cache sssd.conf: [domain/example.com] cache_credentials = True krb5_store_password_if_offline = True krb5_realm = example ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = test.example.com chpass_provider = ipa ipa_server =ipaserver.example.com ldap_tls_cacert = /etc/ipa/ca.crt enumerate = False min_id = 1000 lookup_family_order = ipv4_only [sssd] services = nss, pam, sudo, ssh config_file_version = 2 domains = example.com [nss] [pam] [sudo] [autofs] [ssh] Best regards Łukasz Jaworski "Ender" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project