On Wed, Jan 31, 2018 at 12:32:28PM -0600, Anthony Joseph Messina
wrote:
> In a Fedora 27 FreeIPA-4.6 domain with the following sssd.conf, I
> regularly
> get the followin error:
>
> sssd_nss[2603]: The Data Provider returned an error
> [org.freedesktop.sssd.Error.DataProvider.Fatal]
>
> Increasing the sssd debug level reveals that the fatal error seems to be
> raised by the lookup in the implicit_files domain which doesn't contain
> this GID.
>
> While this happens on all my FreeIPA clients, this particular host is a
> mailserver postfix and cyrus-imap with saslsuthd/pam authentication so
> the number of user lookups is far higher and the error occurs with
> considerable frequency.
>
> Do I have a misconfiguration here or is there a problem with
> implicit_domain and GID lookups? It doesn't seem like this should be a
> fatal error when the GID exists in the
example.com FreeIPA/SSSD domain.
>
> # /etc/nsswitch.conf (snippet)
> passwd: sss files mymachines systemd
> shadow: files sss
> group: sss files mymachines systemd
>
> # /etc/sssd/sssd.conf
> [
domain/example.com]
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain =
example.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname =
host.example.com
> chpass_provider = ipa
> ipa_server = _srv_,
ipa-master.ipa.example.com
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, sudo, pam, ssh, ifp
>
> domains =
example.com
> [nss]
> homedir_substring = /home
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [ifp]
> allowed_uids = apache, root
>
> [secrets]
>
> # Relevant sssd_nss debug logs
> Jan 30 18:22:48 sssd_nss[2603]: Input ID: 1111100001
> Jan 30 18:22:48 sssd_nss[2603]: CR #134773: New request 'Group by ID'
> Jan 30 18:22:48 sssd_nss[2603]: CR #134773: Performing a multi-domain
> search Jan 30 18:22:48 sssd_nss[2603]: CR #134773: Search will check the
> cache and check the data provider Jan 30 18:22:48 sssd_nss[2603]: CR
> #134773: Using domain [implicit_files] Jan 30 18:22:48 sssd_nss[2603]: CR
> #134773: Looking up GID:1111100001@implicit_files Jan 30 18:22:48
> sssd_nss[2603]: CR #134773: Checking negative cache for
> [GID:1111100001@implicit_files] Jan 30 18:22:48 sssd_nss[2603]: CR
> #134773: [GID:1111100001@implicit_files] is not present in negative cache
> Jan 30 18:22:48 sssd_nss[2603]: CR #134773: Looking up
> [GID:1111100001@implicit_files] in cache Jan 30 18:22:48 sssd_nss[2603]:
> CR #134773: Object [GID:1111100001@implicit_files] was not found in cache
> Jan 30 18:22:48 sssd_nss[2603]: CR #134773: Looking up
> [GID:1111100001@implicit_files] in data provider Jan 30 18:22:48
> sssd_nss[2603]: Issuing request for
> [0x56200cc04250:2:1111100001@implicit_files] Jan 30 18:22:48
> sssd_nss[2603]: Creating request for
> [implicit_files][0x2][BE_REQ_GROUP][idnumber=1111100001:-] Jan 30
> 18:22:48 sssd_nss[2603]: Entering request
> [0x56200cc04250:2:1111100001@implicit_files]
I think it's probably
https://pagure.io/SSSD/sssd/issue/3520. In general
the files provider shouldn't be calling the Data Provider at all,
because all users should be always cached.
Could you open a bug against Fedora so we can link it with the upstream
ticket and you can test the fix when it's ready?
btw the implicit files domain can be disabled, I think that would be
the
best workaround in the meantime.
Thanks Jakub. If I disable the implicit_files domain, I need to revert the
nsswitch configuration to list files before sss, correct?