ldap_group_gid_number overwritten with default value

[sssd-bot]

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/3012

• Created at 2016-05-13 17:37:18 by welker
• Closed as Invalid
• Assigned to nobody

---

I am setting "ldap_group_gid_number = extensionAttribute9" in my sssd.conf
After "systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; systemctl start sssd" I see this in the logs:

(Fri May 13 17:24:23 2016) [sssd[be[DOMAIN]]] [sdap_get_map] (0x0400): Option ldap_group_gid_number has value extensionAttribute9
(Fri May 13 17:24:23 2016) [DOMAIN]]] [sdap_copy_map] (0x0400): Option ldap_group_gid_number has value gidNumber

First the right mapping. Which gets overwritten by the default value right afterwards.

I am running this Centos 7 which is bound to M$ Active Directory 2008rc2. Please let me know if you need any additional information.

Thanks for your help,
Jan

Comments

---

Comment from welker at 2016-05-13 17:38:11

Fields changed

summary: ldap_group_gid_number overwritten => ldap_group_gid_number overwritten with default value

---

Comment from welker at 2016-05-13 17:48:37

I forgot the sssd.conf:

[sssd]
domains = XXX.XXX.DOMAIN.COM
services = nss, pam
config_file_version = 2


[domain/XXX.XXX.DOMAIN.COM]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
ldap_id_mapping = False
ldap_group_gid_number = extensionAttribute9
debug_level = 7

_comment0: I forgot the sssd.conf:

[sssd]
domains = XXX.XXX.DOMAIN.COM
services = nss, pam
config_file_version = 2

[domain/XXX.XXX.DOMAIN.COM]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
ldap_id_mapping = False
#ldap_group_gid_number = extensionAttribute9
debug_level = 7
=> 1463154553603797
_comment1: I forgot the sssd.conf:

{{{
[sssd]
domains = XXX.XXX.DOMAIN.COM
services = nss, pam
config_file_version = 2

[domain/XXX.XXX.DOMAIN.COM]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
ldap_id_mapping = False
#ldap_group_gid_number = extensionAttribute9
debug_level = 7
}}} => 1463154668780453

---

Comment from jhrozek at 2016-05-15 16:44:33

I can't reproduce this in my setup. Is there any chance the attribute is being overriden for the root domain (or the domain the sssd is enrolled with) but not the child domains? That would be in fact expected, because right now the config file only configures the domain we're enrolled with, not the child domains (we have ticket #2599 that tracks that enhancement).

In my test environment, I first see the main domain being initialized:

(Sun May 15 14:36:51 2016) [sssd[be[win.trust.test]]] [sdap_get_map] (0x0400): Option ldap_user_gid_number has value myowngid

and then the trusted domain, only with defaults:

(Sun May 15 14:36:51 2016) [sssd[be[win.trust.test]]] [sdap_copy_map] (0x0400): Option ldap_user_gid_number has value gidNumber

Notice the first uses sdap_get_map which reads the config file and creates the mappings, but the second uses sdap_copy_map which only copies the default mappings.

---

Comment from welker at 2016-05-17 10:05:43

I have no other domains configured. The sssd.conf I uploaded is my complete config. Is there a way that the AD servers set this default value? And if so is there a way to ignore it?

_comment0: I have no other domains configured. The sssd.conf I uploaded is my complete config. Is there a way that the AD servers set this default value? => 1463472659751589

---

Comment from jhrozek at 2016-05-17 10:16:46

The trusted domains are not configured, but discovered automatically. Even from your opening comment I see that the value was correctly overriden for the main domain:

(Fri May 13 17:24:23 2016) [sssd[be[DOMAIN]]] [sdap_get_map] (0x0400): Option ldap_group_gid_number has value extensionAttribute9

But sssd used the default values for the trusted domain:

(Fri May 13 17:24:23 2016) [DOMAIN]]] [sdap_copy_map] (0x0400): Option ldap_group_gid_number has value gidNumber

If you are not using accounts from the other trusted domains, you can disable their autodetection with:

subdomains_provider = none

Please note we are working on a better way to selectively enable/disable domains as part of ticket #2828.

---

Comment from welker at 2016-05-17 10:35:18

Thanks for your quick reply subdomains_provider = none works like you explained. The custom value is not overwritten by the default value anymore. At least in the log.

However the outcome of this is surprising to me. I overwrite ldap_group_gid_number with the attribute extensionAttribute9 which contains a valid numeric gid e.g. 3536 which my user is also part of. I would expect my gid to be 3536 which is not the case. The primary gid is still the value of gidNumber. I am also loosing all non primary groups of my user.

I deleted /var/lib/sss/db/* to get rid if the cache and the mapping.

Do I misunderstand the meaning of ldap_group_gid_number? Or is there a problem?

---

Comment from jhrozek at 2016-05-18 18:34:17

No, I would not expect that. I wonder if disabling the tokengroups support with ldap_use_tokengroups would help here? If not, it would be best to see the logs.

---

Comment from jhrozek at 2016-05-26 10:36:46

Without logs, I'm afraid I can't really help you here. The logs might show what are the searches actually looking for and what the server is returning.

---

Comment from jhrozek at 2016-06-01 18:13:07

I'm sorry, but it seems to me that sssd is behaving correctly here and without the logs, I don't think I can help any further, so I'm closing the ticket.

resolution: => invalid
status: new => closed

---

Comment from welker at 2017-02-24 14:57:06

Metadata Update from @Welker:

• Issue set to the milestone: NEEDS_TRIAGE