[Freeipa-users] group issue (freeipa4)
Jakub Hrozek
jhrozek at redhat.com
Thu Mar 5 07:54:28 UTC 2015
On Thu, Mar 05, 2015 at 08:32:32AM +0100, Łukasz Jaworski wrote:
> Hello,
>
> I have group issue on sssd 1.8.6 and 1.11.5 (on ubuntu 12.04 and 14.04) and freeipa4 (freeipa-server-4.1.2-1 on fedora 21, 389-ds-base-1.3.3.8-1).
>
> If user has assigned Role I couldn't get all groups with "id" command.
> All works for users without role/special permissions.
>
> Information about test users from ipa server:
>
> User with role helpdesk:
> # ipa user-show test1
> User login: test1
> Member of groups: testgroup2, testgroup3, ipausers, testgroup4, testgroup1
> Roles: helpdesk
>
> User without role:
> # ipa user-show test2
> User login: test2
> Member of groups: testgroup2, ipausers, testgroup4, testgroup1, testgroup3
>
> Information about user on client (ubuntu 12.04):
>
> # id test1
> uid=1016(test1) gid=1016(test1) groups=1016(test1)
>
> # id test2
> uid=1022(test2) gid=1022(test2) groups=1022(test2),1014(testgroup4),1012(testgroup3),1011(testgroup2),1004(testgroup1)
>
>
> (Thu Mar 5 08:23:54 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'test1' matched without domain, user is test1
> (Thu Mar 5 08:23:54 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
> (Thu Mar 5 08:23:54 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test1] from [<ALL>]
> (Thu Mar 5 08:23:54 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [test1 at example.com]
> (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=test1]
> (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)]
> (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)]
> (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success]
> (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)]
> (Thu Mar 5 08:23:54 2015) [sssd[be[example.com]]] [sdap_parse_deref] (0x0080): Dereferenced entry [cn=helpdesk,cn=roles,cn=accounts,dc=example] has no attributes
This ^^ line tells me it's a known SSSD bug:
https://fedorahosted.org/sssd/ticket/2421
This bug only happens in a combination of old client and a particular
server version.
IIRC a subsequent server update fixed the ACIs on the server so that at
least objectClass was readable. You can also work around the bug on the
client by disabling dereference:
ldap_deref_threshold = 0
btw sssd version 1.8 is quite old and not supported upstream anymore..
More information about the Freeipa-users
mailing list