[Freeipa-users] group issue (freeipa4)

Jakub Hrozek jhrozek at redhat.com
Thu Mar 5 07:54:28 UTC 2015 

On Thu, Mar 05, 2015 at 08:32:32AM +0100, Łukasz Jaworski wrote:
> Hello,
> 
> I have group issue on sssd 1.8.6 and 1.11.5 (on ubuntu 12.04 and 14.04) and freeipa4 (freeipa-server-4.1.2-1 on fedora 21, 389-ds-base-1.3.3.8-1).
> 
> If user has assigned Role I couldn't get all groups with "id" command.
> All works for users without role/special permissions.
> 
> Information about test users from ipa server:
> 
> User with role helpdesk:
> # ipa user-show test1
>   User login: test1
>   Member of groups: testgroup2, testgroup3, ipausers, testgroup4, testgroup1
>   Roles: helpdesk
> 
> User without role:
> # ipa user-show test2
>   User login: test2
>   Member of groups: testgroup2, ipausers, testgroup4, testgroup1, testgroup3
> 
> Information about user on client (ubuntu 12.04):
> 
> # id test1
> uid=1016(test1) gid=1016(test1) groups=1016(test1)
> 
> # id test2
> uid=1022(test2) gid=1022(test2) groups=1022(test2),1014(testgroup4),1012(testgroup3),1011(testgroup2),1004(testgroup1)
> 
> 
> (Thu Mar  5 08:23:54 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'test1' matched without domain, user is test1
> (Thu Mar  5 08:23:54 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
> (Thu Mar  5 08:23:54 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test1] from [<ALL>]
> (Thu Mar  5 08:23:54 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [test1 at example.com]
> (Thu Mar  5 08:23:54 2015) [sssd[be[example.com]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=test1]
> (Thu Mar  5 08:23:54 2015) [sssd[be[example.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)]
> (Thu Mar  5 08:23:54 2015) [sssd[be[example.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)]
> (Thu Mar  5 08:23:54 2015) [sssd[be[example.com]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success]
> (Thu Mar  5 08:23:54 2015) [sssd[be[example.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)]
> (Thu Mar  5 08:23:54 2015) [sssd[be[example.com]]] [sdap_parse_deref] (0x0080): Dereferenced entry [cn=helpdesk,cn=roles,cn=accounts,dc=example] has no attributes

This ^^ line tells me it's a known SSSD bug:
    https://fedorahosted.org/sssd/ticket/2421

This bug only happens in a combination of old client and a particular
server version.

IIRC a subsequent server update fixed the ACIs on the server so that at
least objectClass was readable. You can also work around the bug on the
client by disabling dereference:
    ldap_deref_threshold = 0

btw sssd version 1.8 is quite old and not supported upstream anymore..

More information about the Freeipa-users mailing list