Hi,

it seems that since the upgrade on my EL6 server to sssd-1.12.4-47.el6.x86_64, I'm hitting a bug with nss if a group contains "@" in it's cn (auth done via LDAP):

(Tue Oct  6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x13ac330][20]
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x13ac330][20]
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [33] with input [sudo_sasfdr@FFF-AP-dev].

(Tue Oct  6 12:10:39 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41df60:domains@LDAP]
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [LDAP][FFF-AP-dev]
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x13a7ce0
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41df60:domains@LDAP]
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x13a7ce0
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1397ab0
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 19 error message: Subdomains back end target is not configured
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x13ab1d0
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x13a07b0
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0 "ltdb_callback"
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x13a07b0 "ltdb_timeout"
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0 "ltdb_callback"
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x13ab1d0
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x139bbc0
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0 "ltdb_callback"
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x139bbc0 "ltdb_timeout"
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0 "ltdb_callback"
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x13a07b0
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x13ab1d0
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13a07b0 "ltdb_callback"
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x13ab1d0 "ltdb_timeout"
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13a07b0 "ltdb_callback"
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam_done] (0x0040): Invalid name received [sudo_sasfdr@FFF-AP-dev]
(Tue Oct  6 12:10:39 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41df60:domains@LDAP]

At first I thought it was an LDAP issue, but changing the name to sudo_sasfdr_FFF-AP-dev worked just fine.

The older sssd version sssd-1.11.6-30.el6_6.4.x86_64 did not have that problem, but maybe now the "@" is considered a domain-delimiter?

Currently as a workaround, I switched back to LDAP for sudo-queries (it's either that or change over 200 groups in LDAP and the master provisioning system), since it seems so far only sudo rules are impacted for now.

If anybody can point me to a config param to get the old behaviour back , I wouldvery much appreciate it.

Or, if it is no longer supported, then I need to start writing ldap-renames ...

With friendly regards,

Franky