sssd experts,
This sssd version (released Tue 23 Nov 2021) is under-discovering AD domains.
A similar sssd bug occurred last July, where sssd over-discovered AD domains (AD domains for which there was not a legal trust relationship with this AD domain.) Now, it appears that sssd is under-discovering AD domains (not discovering AD domains which have a valid trust relationship with this AD domain).
Ultimately, an sssd developer on this sssd mailing list (Sumit Rose) resolved the July bug of AD domain over-discovery. Hopefully, someone will recognize this new AD domain under-discovery bug.
We have opened RedHat support case #03124778 for this new AD domain under-discovery bug. But to be frank, such complicated sssd bugs don’t get resolved by RHEL L1 customer support. (RHEL customer support is great, but not for complicated sssd bugs.)
For now, we have pulled sssd-*-1.16.5-10.0.1.el7_9.11.x86_64 RPMs out of our Jan OS patching cycle.
Spike
On Tue, Jan 18, 2022 at 5:52 PM Spike White spikewhitetx@gmail.com wrote:
sssd experts,
This sssd version (released Tue 23 Nov 2021) is under-discovering AD domains.
A similar sssd bug occurred last July, where sssd over-discovered AD domains (AD domains for which there was not a legal trust relationship with this AD domain.) Now, it appears that sssd is under-discovering AD domains (not discovering AD domains which have a valid trust relationship with this AD domain).
Ultimately, an sssd developer on this sssd mailing list (Sumit Rose) resolved the July bug of AD domain over-discovery. Hopefully, someone will recognize this new AD domain under-discovery bug.
We have opened RedHat support case #03124778 for this new AD domain under-discovery bug. But to be frank, such complicated sssd bugs don’t get resolved by RHEL L1 customer support. (RHEL customer support is great, but not for complicated sssd bugs.)
For now, we have pulled sssd-*-1.16.5-10.0.1.el7_9.11.x86_64 RPMs out of our Jan OS patching cycle.
Please check the description of https://bugzilla.redhat.com/show_bug.cgi?id=2032867 Does it match your issue?
Btw, ".0.1." in "1.16.5-10.0.1.el7_9.11" looks weird. Package version should be 1.16.5-10.el7_9.10
Spike _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Alexey,
Yes -- same bug.
Here's what's cute. It only occurs on specific child AD domains. for instance, APAC (asia pacific) can see only EMEA (Europe-Middle East-Africa). Cannot see AMER (Americas). Consistently, all servers in that child domain cannot discover (with this new sssd version).
In other AD domains (like AMER), consistently all servers with this new sssd version do discover all AD domains. So servers in AMER discover all expected domains.
Spike
On Tue, Jan 18, 2022 at 12:11 PM Alexey Tikhonov atikhono@redhat.com wrote:
On Tue, Jan 18, 2022 at 5:52 PM Spike White spikewhitetx@gmail.com wrote:
sssd experts,
This sssd version (released Tue 23 Nov 2021) is under-discovering AD domains.
A similar sssd bug occurred last July, where sssd over-discovered AD domains (AD domains for which there was not a legal trust relationship with this AD domain.) Now, it appears that sssd is under-discovering AD domains (not discovering AD domains which have a valid trust relationship with this AD domain).
Ultimately, an sssd developer on this sssd mailing list (Sumit Rose) resolved the July bug of AD domain over-discovery. Hopefully, someone will recognize this new AD domain under-discovery bug.
We have opened RedHat support case #03124778 for this new AD domain under-discovery bug. But to be frank, such complicated sssd bugs don’t get resolved by RHEL L1 customer support. (RHEL customer support is great, but not for complicated sssd bugs.)
For now, we have pulled sssd-*-1.16.5-10.0.1.el7_9.11.x86_64 RPMs out of our Jan OS patching cycle.
Please check the description of https://bugzilla.redhat.com/show_bug.cgi?id=2032867 Does it match your issue?
Btw, ".0.1." in "1.16.5-10.0.1.el7_9.11" looks weird. Package version should be 1.16.5-10.el7_9.10
Spike _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Tue, Jan 18, 2022 at 8:00 PM Spike White spikewhitetx@gmail.com wrote:
Alexey,
Yes -- same bug.
Then please feel free to ask support to attach your case to this BZ.
The fix - https://github.com/SSSD/sssd/commit/64192cf7c2823ae93820623b0ae285b697fabe12 - is planned to be shipped as a RHEL7.9 z-stream batch update.
Here's what's cute. It only occurs on specific child AD domains. for instance, APAC (asia pacific) can see only EMEA (Europe-Middle East-Africa). Cannot see AMER (Americas). Consistently, all servers in that child domain cannot discover (with this new sssd version).
In other AD domains (like AMER), consistently all servers with this new sssd version do discover all AD domains. So servers in AMER discover all expected domains.
Spike
On Tue, Jan 18, 2022 at 12:11 PM Alexey Tikhonov atikhono@redhat.com wrote:
On Tue, Jan 18, 2022 at 5:52 PM Spike White spikewhitetx@gmail.com wrote:
sssd experts,
This sssd version (released Tue 23 Nov 2021) is under-discovering AD domains.
A similar sssd bug occurred last July, where sssd over-discovered AD domains (AD domains for which there was not a legal trust relationship with this AD domain.) Now, it appears that sssd is under-discovering AD domains (not discovering AD domains which have a valid trust relationship with this AD domain).
Ultimately, an sssd developer on this sssd mailing list (Sumit Rose) resolved the July bug of AD domain over-discovery. Hopefully, someone will recognize this new AD domain under-discovery bug.
We have opened RedHat support case #03124778 for this new AD domain under-discovery bug. But to be frank, such complicated sssd bugs don’t get resolved by RHEL L1 customer support. (RHEL customer support is great, but not for complicated sssd bugs.)
For now, we have pulled sssd-*-1.16.5-10.0.1.el7_9.11.x86_64 RPMs out of our Jan OS patching cycle.
Please check the description of https://bugzilla.redhat.com/show_bug.cgi?id=2032867 Does it match your issue?
Btw, ".0.1." in "1.16.5-10.0.1.el7_9.11" looks weird. Package version should be 1.16.5-10.el7_9.10
Spike _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
sssd-users@lists.fedorahosted.org