View Issue Details

IDProjectCategoryView StatusLast Update
0016140CentOS-7sssdpublic2020-06-23 08:31
Reporterjorbasm 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
PlatformGNU/LinuxOSCentOSOS Version7.6.1810
Product Version7.6.1810 
Target VersionFixed in Version 
Summary0016140: SSSD does not retrieve users when ldap_id_mapping = false
DescriptionSSSD works well with AD until ldap_id_mapping = false. When set up this variable this way, this is the log obtained

tail -f /var/log/sssd/sssd_company.local.log
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_op_destructor] (0x2000): Operation 15 finished
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Request included referrals which were ignored.
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://ForestDnsZones.company.local/DC=ForestDnsZones,DC=company,DC=local
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://DomainDnsZones.company.local/DC=DomainDnsZones,DC=company,DC=local
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://company.local/CN=Configuration,DC=company,DC=local
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results.
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_search_user_process] (0x2000): Retrieved total 0 users

otherwise

(Tue May 14 17:01:55 2019) [sssd[be[company.local]]] [sysdb_set_entry_attr] (0x0200): Entry [name=Certain Users@company.local,cn=groups,cn=company.local,cn=sysdb] has set [cache, ts_cache] attrs.
(Tue May 14 17:01:55 2019) [sssd[be[company.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 2)
(Tue May 14 17:01:55 2019) [sssd[be[company.local]]] [sdap_save_groups] (0x4000): Group 1 members processed!

This is my the sssd config file, initially setup with realm join

[sssd]
domains = company.local
config_file_version = 2
services = nss, pam
full_name_format = %1$s

[domain/company.local]
ad_domain = company.local
krb5_realm = COMPANY.LOCAL
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = false
use_fully_qualified_names = false
fallback_homedir = /home/%u
access_provider = ad
debug_level = 9



I'm trying to map uids to AD POSIX values to keep consistency in a heterogeneus environment with Windows and CentOS 7 boxes. I have a problem configuring the latest.

sssd works well with AD until ldap_id_mapping = false. When set up this variable this way, this is the log obtained

tail -f /var/log/sssd/sssd_company.local.log
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_op_destructor] (0x2000): Operation 15 finished
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Request included referrals which were ignored.
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://ForestDnsZones.company.local/DC=ForestDnsZones,DC=company,DC=local
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://DomainDnsZones.company.local/DC=DomainDnsZones,DC=company,DC=local
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://company.local/CN=Configuration,DC=company,DC=local
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results.
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_search_user_process] (0x2000): Retrieved total 0 users

Otherwise

(Tue May 14 17:01:55 2019) [sssd[be[company.local]]] [sysdb_set_entry_attr] (0x0200): Entry [name=Certain Users@company.local,cn=groups,cn=company.local,cn=sysdb] has set [cache, ts_cache] attrs.
(Tue May 14 17:01:55 2019) [sssd[be[company.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 2)
(Tue May 14 17:01:55 2019) [sssd[be[company.local]]] [sdap_save_groups] (0x4000): Group 1 members processed!

This is my the sssd config file, initially setup with realm join.

[sssd]
domains = company.local
config_file_version = 2
services = nss, pam
full_name_format = %1$s

[domain/company.local]
ad_domain = company.local
krb5_realm = COMPANY.LOCAL
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = false
use_fully_qualified_names = false
fallback_homedir = /home/%u
access_provider = ad
debug_level = 9

Every time I change ldap_id_mapping value I empty the SSSD cache db

sudo systemctl stop sssd
sudo rm -rf /var/lib/sss/db/*
sudo systemctl start sssd

I thought I had to file a bug.
Anyway, thanks in advance.
Steps To Reproducevi /etc/sssd/sssd.conf
ldap_id_mapping = false

sudo systemctl stop sssd
sudo rm -rf /var/lib/sss/db/*
sudo systemctl start sssd

su - someuser
su: user someuser does not exist

Tagsactive directory
abrt_hash
URL

Activities

jorbasm

jorbasm

2019-06-03 14:00

reporter   ~0034587

Same case but in RedHat bugtracker (2015): https://bugzilla.redhat.com/show_bug.cgi?id=1116758#c10
keimond

keimond

2020-06-22 21:08

reporter   ~0037210

I am also experiencing this problem. It's interesting if you take the ldap query that it's sending to AD and run that manually, it works and you get the user back.

{code}
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=keimond@ad.example.com]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [dp_attach_req] (0x0400): DP Request [Account #1]: New request. Flags [0x0001].
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sss_domain_get_state] (0x1000): Domain AD.EXAMPLE.COM is Active
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sss_domain_get_state] (0x1000): Domain AD.EXAMPLE.COM is Active
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [DC=ad,DC=example,DC=com]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_print_server] (0x2000): Searching 10.10.10.10:389
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=keimond)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][DC=ad,DC=example,DC=com].
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_op_add] (0x2000): New operation 14 timeout 6
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x557bcedcd9b0], connected[1], ops[0x557bceddf980], ldap[0x557bced56c20]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://DomainDnsZones.ad.example.com/DC=DomainDnsZones,DC=ad,DC=example,DC=com
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x557bcedcd9b0], connected[1], ops[0x557bceddf980], ldap[0x557bced56c20]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://ForestDnsZones.ad.example.com/DC=ForestDnsZones,DC=ad,DC=example,DC=com
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x557bcedcd9b0], connected[1], ops[0x557bceddf980], ldap[0x557bced56c20]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://ad.example.com/CN=Configuration,DC=ad,DC=example,DC=com
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x557bcedcd9b0], connected[1], ops[0x557bceddf980], ldap[0x557bced56c20]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_op_destructor] (0x2000): Operation 14 finished
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [generic_ext_search_handler] (0x4000): Request included referrals which were ignored.
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [generic_ext_search_handler] (0x4000): Ref: ldap://DomainDnsZones.ad.example.com/DC=DomainDnsZones,DC=ad,DC=example,DC=com
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [generic_ext_search_handler] (0x4000): Ref: ldap://ForestDnsZones.ad.example.com/DC=ForestDnsZones,DC=ad,DC=example,DC=com
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [generic_ext_search_handler] (0x4000): Ref: ldap://ad.example.com/CN=Configuration,DC=ad,DC=example,DC=com
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results.
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_search_user_process] (0x2000): Retrieved total 0 users
(Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_id_op_done] (0x4000): releasing operation connection
{code}
jorbasm

jorbasm

2020-06-23 08:31

reporter   ~0037213

Hi keimond,

Back then I had not yet set the UNIX attributes fields in Windows AD DS, in particular, the proper uid. I recall solving this issue which obviously was not an sssd bug.

Regards,
Jordi

Issue History

Date Modified Username Field Change
2019-06-03 13:48 jorbasm New Issue
2019-06-03 13:48 jorbasm Tag Attached: active directory
2019-06-03 14:00 jorbasm Note Added: 0034587
2020-06-22 21:08 keimond Note Added: 0037210
2020-06-23 08:31 jorbasm Note Added: 0037213