disabled root ad domain causes subdomains to be marked offline #5770

sumit-bose · 2021-09-02T10:20:49Z

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 2000238

[+] Description of problem:
 - when the root ad domain is not listed in ad_enabled_domains, sssd will mark
the subdomains as offline

[+] Version-Release number of selected component (if applicable):
 - sssd-1.16.5-10.el7_9.8.x86_64

[+] How reproducible:
 - sometimes - the failure occurs when sssd tries to retrieve trust information
from the root domain

[+] Steps to Reproduce:
1. configure an ad forest with two or more domains
2. enable only the ad subdomains in ad_enabled_domains
3. monitor sssd to see subdomains marked offline

[+] Actual results:
 - all domains are marked offline and sssd fails to perform user lookups for a
certain period

[+] Expected results:
 - root domain being disabled is treated as normal and sssd keeps all
subdomains online

[+] Workaround:
 - list ad root domain in ad_enabled_domains

The text was updated successfully, but these errors were encountered:

Even if the forest root is disabled for user and group lookups a sdap object is needed to lookup trusted domains. This already works if the forest root is discovered for the first time at runtime. But if SSSD is restarted only the domain object but not the sdap object is created. Resolves: SSSD#5770

Even if the forest root is disabled for user and group lookups a sdap object is needed to lookup trusted domains. This already works if the forest root is discovered for the first time at runtime. But if SSSD is restarted only the domain object but not the sdap object is created. Resolves: SSSD#5770 :fixes: Even is the forest root is disabled for lookups all required internal data is initialized to be able to refresh the list of trusted domains in the forest from a DC of the forest root.

Even if the forest root is disabled for user and group lookups a sdap object is needed to lookup trusted domains. This already works if the forest root is discovered for the first time at runtime. But if SSSD is restarted only the domain object but not the sdap object is created. Resolves: SSSD#5770 :fixes: Even if the forest root is disabled for lookups all required internal data is initialized to be able to refresh the list of trusted domains in the forest from a DC of the forest root.

Even if the forest root is disabled for user and group lookups a sdap object is needed to lookup trusted domains. This already works if the forest root is discovered for the first time at runtime. But if SSSD is restarted only the domain object but not the sdap object is created. Resolves: #5770 :fixes: Even if the forest root is disabled for lookups all required internal data is initialized to be able to refresh the list of trusted domains in the forest from a DC of the forest root. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 2a617c0)

pbrezina · 2021-09-24T12:24:34Z

Pushed PR: #5771

master
- 2a617c0 - sdap: always create sdap object for a forest root
sssd-1-16
- 46b1941 - sdap: always create sdap object for a forest root

Even if the forest root is disabled for user and group lookups a sdap object is needed to lookup trusted domains. This already works if the forest root is discovered for the first time at runtime. But if SSSD is restarted only the domain object but not the sdap object is created. Resolves: SSSD#5770 :fixes: Even if the forest root is disabled for lookups all required internal data is initialized to be able to refresh the list of trusted domains in the forest from a DC of the forest root. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Even if the forest root is disabled for user and group lookups a sdap object is needed to lookup trusted domains. This already works if the forest root is discovered for the first time at runtime. But if SSSD is restarted only the domain object but not the sdap object is created. Resolves: SSSD#5770 :fixes: Even if the forest root is disabled for lookups all required internal data is initialized to be able to refresh the list of trusted domains in the forest from a DC of the forest root. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 2a617c0)

sumit-bose self-assigned this Sep 2, 2021

alexey-tikhonov added the Bugzilla label Sep 2, 2021

sumit-bose mentioned this issue Sep 2, 2021

sdap: always create sdap object for a forest root #5771

Closed

pbrezina closed this as completed in 2a617c0 Sep 24, 2021

pbrezina added the Closed: Fixed Issue was closed as fixed. label Sep 24, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

disabled root ad domain causes subdomains to be marked offline #5770

disabled root ad domain causes subdomains to be marked offline #5770

sumit-bose commented Sep 2, 2021

pbrezina commented Sep 24, 2021

disabled root ad domain causes subdomains to be marked offline #5770

disabled root ad domain causes subdomains to be marked offline #5770

Comments

sumit-bose commented Sep 2, 2021

pbrezina commented Sep 24, 2021