On Mon, Jun 13, 2016 at 03:16:25PM +0200, Lukas Slebodnik wrote:
On (29/02/16 11:17), Jakub Hrozek wrote:
>On Thu, Feb 25, 2016 at 01:37:27PM +0100, Sumit Bose wrote:
>> On Thu, Feb 25, 2016 at 12:50:55PM +0100, Jakub Hrozek wrote:
>> > On Tue, Feb 23, 2016 at 12:53:25PM +0100, Sumit Bose wrote:
>> > > Hi,
>> > >
>> > > this patch fixes and issue during initgroups in AD forests. Please
see
>> > > the commit message for details.
>> > >
>> > > To reproduce this you can create a new user outside of CN=Users on
the
>> > > forest root. The new user can be created in an existing container or
in
>> > > a new OU container. Most important is that it is not a child of
>> > > CN=Users. In a child domain (it must be a child, domains with a
>> > > different base won't trigger the issue) create a user with the
same
>> > > name. With this setup 'id user(a)forest.root' will not return
the complete
>> > > list of group the user is a member of and the patch should fix this.
>> > >
>> > > bye,
>> > > Sumit
>> > >
>> >
>> > Hi,
>> >
>> > the patch works fine, tested with a user named the same in the same OU
>> > in different domains. Coverity found some warnings:
>> >
>> > Error: COMPILER_WARNING:
>> > sssd-1.13.90/src/providers/ldap/sdap_async_initgroups.c:2835:12: warning:
unused variable 'dn_len' [-Wunused-variable]
>> > # size_t dn_len;
>> > # ^
>> > # 2833| const char *cname;
>> > # 2834| bool in_transaction = false;
>> > # 2835|-> size_t dn_len;
>> > # 2836| size_t c = 0;
>> > # 2837|
>> >
>> > Error: COMPILER_WARNING:
>> > sssd-1.13.90/src/providers/ldap/sdap_async_initgroups.c: scope_hint: In
function 'sdap_get_initgr_user'
>> > sssd-1.13.90/src/providers/ldap/sdap_async_initgroups.c:2836:12: warning:
unused variable 'c' [-Wunused-variable]
>> > # size_t c = 0;
>> > # ^
>> > # 2834| bool in_transaction = false;
>> > # 2835| size_t dn_len;
>> > # 2836|-> size_t c = 0;
>> > # 2837|
>> > # 2838| DEBUG(SSSDBG_TRACE_ALL, "Receiving info for the
user\n");
>> >
>> > Error: COMPILER_WARNING:
>> > sssd-1.13.90/src/db/sysdb_subdomains.c:23: included_from: Included from
here.
>> > sssd-1.13.90/src/db/sysdb_subdomains.c: scope_hint: In function
'try_to_find_expected_dn'
>> > sssd-1.13.90/src/util/util.h:144:9: warning: 'result_dn_str' may be
used uninitialized in this function [-Wmaybe-uninitialized]
>> > # sss_debug_fn(__FILE__, __LINE__, __FUNCTION__, \
>> > # ^
>> > sssd-1.13.90/src/db/sysdb_subdomains.c:1075:17: note:
'result_dn_str' was declared here
>> > # const char *result_dn_str;
>> > # ^
>> > # 142| int __debug_macro_level = level; \
>> > # 143| if (DEBUG_IS_SET(__debug_macro_level)) { \
>> > # 144|-> sss_debug_fn(__FILE__, __LINE__, __FUNCTION__, \
>> > # 145| __debug_macro_level, \
>> > # 146| format, ##__VA_ARGS__); \
>> >
>> > Additionally, I wonder if we should namespace the function?
>>
>> Thank you for the review, new version attached.
>>
>> bye,
>> Sumit
>
>ACK.
>
>There were some downstream tests failing, but the same tests kept
>failing even with a vanilla RHEL-7.2 package, so I think it's a fluke in
>the test and not a regression.
Was it a ldap_rfc2307_fallback_to_local_users related test?
Because I finally get to state when I was able to look
into failing tests and git bisect found out that
this patch (5ff7a765434ed0b4d37564ade26d7761d06f81c3)
broke option ldap_rfc2307_fallback_to_local_users
I really don't remember, but I think I only ran AD tests, not LDAP
tests.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ LOG ] :: fallback_to_local_users_002: bz948263 Value set to true
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ PASS ] :: File '/var/log/sssd/sssd_LDAP.log' should contain 'Option
ldap_rfc2307_fallback_to_local_users is TRUE'
:: [ PASS ] :: Command 'getent group ldap_group | grep local_user | grep
ldap_user' (Expected 0, got 0)
:: [ FAIL ] :: Command 'id local_user | grep ldap_group' (Expected 0, got 1)
:: [ PASS ] :: Command 'id non_existant_user' (Expected 1, got 1)
:: [ PASS ] :: Command 'getent group ldap_group | grep local_user | grep
ldap_user' (Expected 0, got 0)
:: [ FAIL ] :: Command 'ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb
name=ldap_group member | grep local_user' (Expected 0, got 1)
:: [ FAIL ] :: Command 'ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb
name=local_user memberof | grep ldap_group' (Expected 0, got 1)
:: [ PASS ] :: Command 'ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb
name=ldap_group dataExpireTimestamp | grep "dataExpireTimestamp: 1"'
(Expected 0, got 0)
:: [ FAIL ] :: Command 'ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb
name=local_user dataExpireTimestamp | grep "dataExpireTimestamp: 1"'
(Expected 0, got 1)
:: [ FAIL ] :: Command 'id local_user | grep ldap_group' (Expected 0, got 1)
:: [ PASS ] :: Command 'getent group ldap_group | grep local_user | grep
ldap_user' (Expected 0, got 0)
:: [ LOG ] :: Duration: 16s
:: [ LOG ] :: Assertions: 6 good, 5 bad
:: [ FAIL ] :: RESULT: fallback_to_local_users_002: bz948263 Value set to true
I can provide access to machine if you need a reproducer.
But you should be able reproduce yourself with minimal rfc2307 config
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[domain/LDAP]
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://$SERVER
ldap_search_base = $DS_BASE_DN
ldap_rfc2307_fallback_to_local_users = True
Please file a bug.