On Tue, Oct 06, 2015 at 02:34:58PM +0200, Lukas Slebodnik wrote:
On (06/10/15 14:17), liedekef(a)telenet.be wrote:
>Hi,
>
>it seems that since the upgrade on my EL6 server to sssd-1.12.4-47.el6.x86_64,
I'm hitting a bug with nss if a group contains "@" in it's cn (auth done
via LDAP):
>
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set
for client [0x13ac330][20]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set
for client [0x13ac330][20]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command
[33] with input [sudo_sasfdr@FFF-AP-dev].
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing
request for [0x41df60:domains@LDAP]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get
domains request for [LDAP][FFF-AP-dev]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x13a7ce0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering
request [0x41df60:domains@LDAP]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x13a7ce0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1397ab0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from
Data Provider - DP error code: 3 errno: 19 error message: Subdomains back end target is
not configured
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13ab1d0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x13a07b0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x13a07b0 "ltdb_timeout"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13ab1d0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x139bbc0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x139bbc0 "ltdb_timeout"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x13a07b0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x13ab1d0
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13a07b0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event
0x13ab1d0 "ltdb_timeout"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13a07b0
"ltdb_callback"
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam_done] (0x0040): Invalid name
received [sudo_sasfdr@FFF-AP-dev]
>(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting
request: [0x41df60:domains@LDAP]
>
>At first I thought it was an LDAP issue, but changing the name to
sudo_sasfdr_FFF-AP-dev worked just fine.
>The older sssd version sssd-1.11.6-30.el6_6.4.x86_64 did not have that problem, but
maybe now the "@" is considered a domain-delimiter?
>
>Currently as a workaround, I switched back to LDAP for sudo-queries (it's either
that or change over 200 groups in LDAP and the master provisioning system), since it seems
so far only sudo rules are impacted for now.
>
>If anybody can point me to a config param to get the old behaviour back , I wouldvery
much appreciate it.
>Or, if it is no longer supported, then I need to start writing ldap-renames ...
>
>With friendly regards,
>
Could you share your configuration file?
We would need to know which data provider you have configured ...
sssd uses "@" as a separator for name and domain.
you can find more details in manual page sssd.conf -> re_expression
So you can just use different regular expression to avoid such
problems. But I wonder how it could work with 1.11.x
This is something that should work, we use the configuration in the
'legacy client' scenario where the FQDNs are already present in the
compat tree and we need to avoid splitting them, but rather match
against the compat tree..