New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSSD unable to retrieve secondary groups after upgrade of ipa-server #6443
Comments
Hi, with the given sssd.conf SSSD will connect anonymously to the LDAP server. Are the memberOf attributes shown if you call:
bye, |
Hi Sumit, thanks for the quick reply. Appreciate it! It doesn't show the memberOf attribute. Interestingly, we have a production environment which hasn't been upgraded yet and working fine. However, it doesn't show the memberOf attribute as well.
|
Hi, by default the bye, |
No, it has a similar configuration. However, when I run the below command in production (I grabbed the command from sssd logs for the backend), it shows all the groups and all its members for each group (which is a huge output because it also shows memberUid for each group).
The same ldapsearch command in the test doesn't return anything. Does it have any clue? |
The results are coming from the compat-tree, is the compat-tree enabled in the test environment? |
Oh..seems like you found the issue! I've not heard before but a quick google search says it is some compatibility plugin designed for applications expecting the user/groups to follow RFC 2307. Is that correct? However, I didn't find a way to enable it. I went to the IPA server in the test/prod and did a grep on compat in /etc/sssd and /etc/ipa. No results. I'm not a FreeIPA expert. Is there a guide/howto? |
I think I found a utility to check/enable compact tree on the FreeIPA server, which is enabled in production. However, I don't have the Directory manager password for the test to check/enable the status. Looking for ways to reset the directory password. I'll let you know the status, and thanks a lot for your help so far!
|
Hi @sumit-bose I reset the Directory server password in the test and checked that the compat status is enabled already..Is there anything else that needs to be checked? ipa-compat-manage status Plugin Enabled |
Hi, in your bye, |
Hi @sumit-bose , Yes, I have the same config in prod; removing it didn't help in the test. However, when I ran ldapsearch against compat tree, it worked fine in the test. So, I changed the From: to: And it started working! Thanks a lot for all the help. Appreciate it. |
Closing the issue as it is resolved now. Here is to the power of community 🥇 |
Hello Community,
We recently updated
ipa-server
and a bunch of related packages from 4.6.8-5.el7.centos.11 to 4.6.8-5.el7.centos.12. This also updated the IPA data. After that, the clients are unable to retrieve group information. However, they can load SSH public keys and other user details fine. When I query the FreeIPA server usingipa
andldapsearch
against a user, I see all group memberships. So, the data on the FreeIPA server seems fine, but only how SSSD talks to FreeIPA has changed.On the clients, there were no changes, and I tried all combinations of ldap_schema (rfc2307, rfc2307bis, ipa) and ldap_group_member (memberUid, uniqueMember) every time, removing the cache and restarting SSSD. However, I don't see any change when I run
id <username>
orgetent group <group>
. They just return the user id and primary group; group and gid. I also tried to addinitgroups sss files
in /etc/nsswitch.conf, but that didn't make a difference.I tried to revert the packages on the server, but it failed to say data schema is incompatible. So, the current status is, our users can SSH to the instances but can't sudo as group information is missing. Please let me know if you need any more details to help troubleshoot.
Thanks!
On client:
On FreeIPA server:
I enabled debug logs(debug_level=6) on the SSSD client for all
nss
,pam
andbe
calls to see if there are any issues, but I didn't find anything obvious. I thought it is not very useful to share it here, but I'm sharing the relevant commands SSSD initiates to the FreeIPA server.More details below
FreeIPA server OS details
Relevant upgrade logs on the FreeIPA server
Client OS and sssd versions
sssd.conf on Client
The text was updated successfully, but these errors were encountered: