Hello Community, We recently updated ipa-server and a bunch of related packages from 4.6.8-5.el7.centos.11 to 4.6.8-5.el7.centos.12. This also updated the IPA data. After that, the clients are unable to retrieve group information. However, they can load SSH public keys and other user details fine. When I query the FreeIPA server using ipa and ldapsearch against a user, I see all group memberships. So, the data on the FreeIPA server seems fine, but only how SSSD talks to FreeIPA has changed.
On the clients, there were no changes, and I tried all combinations of ldap_schema (rfc2307, rfc2307bis, ipa) and ldap_group_member (memberUid, uniqueMember) every time, removing the cache and restarting SSSD. However, I don't see any change when I run id <username> or getent group <group>. They return the user id and primary group; group and gid. I also tried to add initgroups sss files in /etc/nsswitch.conf, but that didn't make a difference.
I tried to revert the packages on the server, but it failed to say data schema is incompatible. So, the current status is our users can SSH to the instances but can't sudo as group information is missing.
Since it seems like an issue with SSSD, I raised an issue with SSSD last week: https://github.com/SSSD/sssd/issues/6443. I'm reaching out here hoping someone might have resolved this as an upgrade of the FreeIPA server that triggered this. Please let me know if you've any questions.
Additional details: ==============
On client: =======
id uid=1987401269(user_name) gid=1987401269(user_name) groups=1987401269(user_name) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
getent group sudo sudo:*:27:
On FreeIPA server: ==============
id uid=1987401269(user_name) gid=1987401269(user_name) groups=1987401269(user_name),27(sudo),1987400000(group1),1987400473(group2),1987401284(group3), context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
ipa user-show --all --raw user_name
dn: uid=user_name,cn=users,cn=accounts,dc=REDACTED,dc=com
REDACTED
ipaSshPubKey: REDACTED .. memberof: cn=group1,cn=groups,cn=accounts,dc=REDACTED,dc=com memberof: cn=greoup2,cn=groups,cn=accounts,dc=REDACTED,dc=com memberof: cn=sudo,cn=groups,cn=accounts,dc=REDACTED,dc=com memberof: cn=group3,cn=groups,cn=accounts,dc=REDACTED,dc=com ..
ldapsearch -Y GSSAPI -b 'uid=<user_name>,cn=users,cn=accounts,dc=REDACTED,dc=com'
Shows output similar to above. I enabled debug logs(debug_level=6) on the SSSD client for all nss, pam and be calls to see if there are any issues, but I didn't find anything obvious. I thought it is not very useful to share it here, but I'm sharing the relevant commands SSSD initiates to the FreeIPA server.
(2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_initgr_rfc2307_next_base] (0x0400): Searching for groups with base [dc=REDACTED,dc=com] (2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberUid=<user_name>)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=REDACTED,dc=com]. (2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
and
(2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=REDACTED,dc=com] (2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=<gid_name>)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=REDACTED,dc=com]. (2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. More details below
FreeIPA server OS details ==================
cat /etc/*release* CentOS Linux release 7.9.2009 (Core) Derived from Red Hat Enterprise Linux 7.9 (Source) NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7"
CentOS Linux release 7.9.2009 (Core) CentOS Linux release 7.9.2009 (Core) cpe:/o:centos:centos:7
Relevant upgrade logs on the FreeIPA server =========================
---> Package ipa-client.x86_64 0:4.6.8-5.el7.centos.11 will be updated ---> Package ipa-client.x86_64 0:4.6.8-5.el7.centos.12 will be an update ---> Package ipa-client-common.noarch 0:4.6.8-5.el7.centos.11 will be updated ---> Package ipa-client-common.noarch 0:4.6.8-5.el7.centos.12 will be an update ---> Package ipa-common.noarch 0:4.6.8-5.el7.centos.11 will be updated ---> Package ipa-common.noarch 0:4.6.8-5.el7.centos.12 will be an update ---> Package ipa-python-compat.noarch 0:4.6.8-5.el7.centos.11 will be updated ---> Package ipa-python-compat.noarch 0:4.6.8-5.el7.centos.12 will be an update ---> Package ipa-server.x86_64 0:4.6.8-5.el7.centos.11 will be updated ---> Package ipa-server.x86_64 0:4.6.8-5.el7.centos.12 will be an update ---> Package ipa-server-common.noarch 0:4.6.8-5.el7.centos.11 will be updated ---> Package ipa-server-common.noarch 0:4.6.8-5.el7.centos.12 will be an update ---> Package python2-ipaclient.noarch 0:4.6.8-5.el7.centos.11 will be updated ---> Package python2-ipaclient.noarch 0:4.6.8-5.el7.centos.12 will be an update ---> Package python2-ipalib.noarch 0:4.6.8-5.el7.centos.11 will be updated ---> Package python2-ipalib.noarch 0:4.6.8-5.el7.centos.12 will be an update ---> Package python2-ipaserver.noarch 0:4.6.8-5.el7.centos.11 will be updated ---> Package python2-ipaserver.noarch 0:4.6.8-5.el7.centos.12 will be an update
Client OS and sssd versions ===================== NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3⭕amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/" Amazon Linux release 2 (Karoo) cpe:2.3⭕amazon:amazon_linux:2
yum list installed|grep sssd python-sssdconfig.noarch 1.16.5-10.amzn2.10 @amzn2-core sssd.x86_64 1.16.5-10.amzn2.10 @amzn2-core sssd-ad.x86_64 1.16.5-10.amzn2.10 @amzn2-core sssd-client.x86_64 1.16.5-10.amzn2.10 @amzn2-core sssd-common.x86_64 1.16.5-10.amzn2.10 @amzn2-core sssd-common-pac.x86_64 1.16.5-10.amzn2.10 @amzn2-core sssd-ipa.x86_64 1.16.5-10.amzn2.10 @amzn2-core sssd-krb5.x86_64 1.16.5-10.amzn2.10 @amzn2-core sssd-krb5-common.x86_64 1.16.5-10.amzn2.10 @amzn2-core sssd-ldap.x86_64 1.16.5-10.amzn2.10 @amzn2-core sssd-proxy.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd.conf on Client ================ [domain/REDACTED] ldap_search_base = cn=users,cn=accounts,dc=REDACTED,dc=com cache_credentials = true id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://freeipa.REDACTED.com,ldaps://ipa-slave.REDACTED.com ldap_tls_cacert = /etc/openldap/cacerts/ca.crt ldap_schema = rfc2307 ldap_user_ssh_public_key = ipaSshPubKey ldap_group_search_base = dc=REDACTED,dc=com ldap_page_size = 1900 group_name_attribute = cn ldap_group_member = memberUid group_class = posixGroup
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam, ssh, sudo domains = REDACTED.com
[nss] filter_groups = root filter_users = root reconnection_retries = 3 homedir_substring = /home
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
[ssh]
Thanks, Krishna.
FYI - The issue is now resolved after updating SSD configs to use compat tree for group search. However, it is good to know why the FreeIPA upgrade broke it, as we will have to update the same in production in the coming weeks.
freeipa-users@lists.fedorahosted.org