On (06/10/15 14:17), liedekef(a)telenet.be wrote:
Hi,
it seems that since the upgrade on my EL6 server to sssd-1.12.4-47.el6.x86_64, I'm
hitting a bug with nss if a group contains "@" in it's cn (auth done via
LDAP):
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for
client [0x13ac330][20]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for
client [0x13ac330][20]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [33]
with input [sudo_sasfdr@FFF-AP-dev].
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for
[0x41df60:domains@LDAP]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get
domains request for [LDAP][FFF-AP-dev]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x13a7ce0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering
request [0x41df60:domains@LDAP]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x13a7ce0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1397ab0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data
Provider - DP error code: 3 errno: 19 error message: Subdomains back end target is not
configured
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13ab1d0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x13a07b0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0
"ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x13a07b0
"ltdb_timeout"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0
"ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13ab1d0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x139bbc0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0
"ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x139bbc0
"ltdb_timeout"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0
"ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13a07b0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x13ab1d0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13a07b0
"ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x13ab1d0
"ltdb_timeout"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13a07b0
"ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam_done] (0x0040): Invalid name
received [sudo_sasfdr@FFF-AP-dev]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request:
[0x41df60:domains@LDAP]
At first I thought it was an LDAP issue, but changing the name to sudo_sasfdr_FFF-AP-dev
worked just fine.
The older sssd version sssd-1.11.6-30.el6_6.4.x86_64 did not have that problem, but maybe
now the "@" is considered a domain-delimiter?
Currently as a workaround, I switched back to LDAP for sudo-queries (it's either that
or change over 200 groups in LDAP and the master provisioning system), since it seems so
far only sudo rules are impacted for now.
If anybody can point me to a config param to get the old behaviour back , I wouldvery much
appreciate it.
Or, if it is no longer supported, then I need to start writing ldap-renames ...
With friendly regards,
Could you share your configuration file?
We would need to know which data provider you have configured ...
sssd uses "@" as a separator for name and domain.
you can find more details in manual page sssd.conf -> re_expression
So you can just use different regular expression to avoid such
problems. But I wonder how it could work with 1.11.x
LS