View Issue Details

IDProjectCategoryView StatusLast Update
0016140CentOS-7sssdpublic2019-06-03 14:00
Reporterjorbasm 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
PlatformGNU/LinuxOSCentOSOS Version7.6.1810
Product Version7.6.1810 
Target VersionFixed in Version 
Summary0016140: SSSD does not retrieve users when ldap_id_mapping = false
DescriptionSSSD works well with AD until ldap_id_mapping = false. When set up this variable this way, this is the log obtained

tail -f /var/log/sssd/sssd_company.local.log
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_op_destructor] (0x2000): Operation 15 finished
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Request included referrals which were ignored.
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://ForestDnsZones.company.local/DC=ForestDnsZones,DC=company,DC=local
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://DomainDnsZones.company.local/DC=DomainDnsZones,DC=company,DC=local
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://company.local/CN=Configuration,DC=company,DC=local
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results.
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_search_user_process] (0x2000): Retrieved total 0 users

otherwise

(Tue May 14 17:01:55 2019) [sssd[be[company.local]]] [sysdb_set_entry_attr] (0x0200): Entry [name=Certain Users@company.local,cn=groups,cn=company.local,cn=sysdb] has set [cache, ts_cache] attrs.
(Tue May 14 17:01:55 2019) [sssd[be[company.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 2)
(Tue May 14 17:01:55 2019) [sssd[be[company.local]]] [sdap_save_groups] (0x4000): Group 1 members processed!

This is my the sssd config file, initially setup with realm join

[sssd]
domains = company.local
config_file_version = 2
services = nss, pam
full_name_format = %1$s

[domain/company.local]
ad_domain = company.local
krb5_realm = COMPANY.LOCAL
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = false
use_fully_qualified_names = false
fallback_homedir = /home/%u
access_provider = ad
debug_level = 9



I'm trying to map uids to AD POSIX values to keep consistency in a heterogeneus environment with Windows and CentOS 7 boxes. I have a problem configuring the latest.

sssd works well with AD until ldap_id_mapping = false. When set up this variable this way, this is the log obtained

tail -f /var/log/sssd/sssd_company.local.log
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_op_destructor] (0x2000): Operation 15 finished
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Request included referrals which were ignored.
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://ForestDnsZones.company.local/DC=ForestDnsZones,DC=company,DC=local
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://DomainDnsZones.company.local/DC=DomainDnsZones,DC=company,DC=local
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://company.local/CN=Configuration,DC=company,DC=local
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results.
(Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_search_user_process] (0x2000): Retrieved total 0 users

Otherwise

(Tue May 14 17:01:55 2019) [sssd[be[company.local]]] [sysdb_set_entry_attr] (0x0200): Entry [name=Certain Users@company.local,cn=groups,cn=company.local,cn=sysdb] has set [cache, ts_cache] attrs.
(Tue May 14 17:01:55 2019) [sssd[be[company.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 2)
(Tue May 14 17:01:55 2019) [sssd[be[company.local]]] [sdap_save_groups] (0x4000): Group 1 members processed!

This is my the sssd config file, initially setup with realm join.

[sssd]
domains = company.local
config_file_version = 2
services = nss, pam
full_name_format = %1$s

[domain/company.local]
ad_domain = company.local
krb5_realm = COMPANY.LOCAL
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = false
use_fully_qualified_names = false
fallback_homedir = /home/%u
access_provider = ad
debug_level = 9

Every time I change ldap_id_mapping value I empty the SSSD cache db

sudo systemctl stop sssd
sudo rm -rf /var/lib/sss/db/*
sudo systemctl start sssd

I thought I had to file a bug.
Anyway, thanks in advance.
Steps To Reproducevi /etc/sssd/sssd.conf
ldap_id_mapping = false

sudo systemctl stop sssd
sudo rm -rf /var/lib/sss/db/*
sudo systemctl start sssd

su - someuser
su: user someuser does not exist

Tagsactive directory
abrt_hash
URL

Activities

jorbasm

jorbasm

2019-06-03 14:00

reporter   ~0034587

Same case but in RedHat bugtracker (2015): https://bugzilla.redhat.com/show_bug.cgi?id=1116758#c10

Issue History

Date Modified Username Field Change
2019-06-03 13:48 jorbasm New Issue
2019-06-03 13:48 jorbasm Tag Attached: active directory
2019-06-03 14:00 jorbasm Note Added: 0034587