Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to lookup AD user from child domain (or "make filtering of the domains more configurable") #6626

Closed
sumit-bose opened this issue Mar 13, 2023 · 2 comments
Closed

Unable to lookup AD user from child domain (or "make filtering of the domains more configurable") #6626

sumit-bose opened this issue Mar 13, 2023 · 2 comments
Assignees
@sumit-bose
Labels
Bugzilla Closed: Fixed Issue was closed as fixed.

Comments

@sumit-bose
Copy link
Contributor

sumit-bose commented Mar 13, 2023
edited

Description of problem:

Unable to lookup AD user from child domain. Filtering of the domains more configurable.

From sssd_$domain.log

-----
(2022-11-17 18:29:10): [be[example.com]] [dp_attach_req] (0x0400): [RID#5] DP Request [adount #5]: REQ_TRACE: New request. [sssd.nss CID #58] Flags [0x0001].
(2022-11-17 18:29:10): [be[example.com]] [dp_attach_req] (0x0400): [RID#5] Number of active DP request: 2
(2022-11-17 18:29:10): [be[example.com]] [sss_domain_get_state] (0x1000): [RID#5] Domain example.com is Active
(2022-11-17 18:29:10): [be[example.com]] [sss_domain_get_state] (0x1000): [RID#5] Domain example.com is Active
(2022-11-17 18:29:10): [be[example.com]] [sdap_id_op_connect_step] (0x4000): [RID#5] reusing cached connection
(2022-11-17 18:29:10): [be[example.com]] [sdap_search_user_next_base] (0x0400): [RID#5] Searching for users with base [DC=example,DC=com]
(2022-11-17 18:29:10): [be[example.com]] [sdap_print_server] (0x2000): [RID#5] Searching 128.0.x.x
(2022-11-17 18:29:10): [be[example.com]] [sdap_get_generic_ext_step] (0x0400): [RID#5] calling ldap_search_ext with [(&(sAMadountName=roy)(objectclass=user)(sAMadountName=*)(objectSID=*))][DC=example,DC=com].
...
(2022-11-17 18:29:10): [be[example.com]] [sdap_ldap_connect_callback_add] (0x4000): New connection to [ldap://ad03.example.com/DC=ad03,DC=example,DC=com] with fd [21]
(2022-11-17 18:29:10): [be[example.com]] [ad_sasl_log] (0x4000): SASL: GSSAPI client step 1
(2022-11-17 18:29:10): [be[example.com]] [ad_sasl_log] (0x4000): SASL: GSSAPI client step 1
(2022-11-17 18:29:10): [be[example.com]] [sdap_ldap_connect_callback_add] (0x4000): New connection to [ldap://ad02.example.com/DC=adt02,DC=example,DC=com] with fd [26]
(2022-11-17 18:29:10): [be[example.com]] [ad_sasl_log] (0x4000): SASL: GSSAPI client step 1
(2022-11-17 18:29:10): [be[example.com]] [ad_sasl_log] (0x4000): SASL: GSSAPI client step 1
(2022-11-17 18:29:10): [be[example.com]] [sdap_ldap_connect_callback_add] (0x4000): New connection to [ldap://adT05.example.com/DC=adT05,DC=example,DC=com] with fd [27]
(2022-11-17 18:29:10): [be[example.com]] [ad_sasl_log] (0x4000): SASL: GSSAPI client step 1
(2022-11-17 18:29:10): [be[example.com]] [ad_sasl_log] (0x4000): SASL: GSSAPI client step 1
(2022-11-17 18:29:10): [be[example.com]] [sdap_ldap_connect_callback_add] (0x4000): New connection to [ldap://lfwc.example.com/DC=lfwc,DC=example,DC=com] with fd [28]
(2022-11-17 18:29:10): [be[example.com]] [ad_sasl_log] (0x4000): SASL: GSSAPI client step 1
(2022-11-17 18:29:10): [be[example.com]] [ad_sasl_log] (0x4000): SASL: GSSAPI client step 1
(2022-11-17 18:29:10): [be[example.com]] [sdap_ldap_connect_callback_add] (0x4000): New connection to [ldap://adt04.example.com/DC=adt04,DC=example,DC=com] with fd [29]
(2022-11-17 18:29:10): [be[example.com]] [ad_sasl_log] (0x4000): SASL: GSSAPI client step 1
(2022-11-17 18:29:10): [be[example.com]] [ad_sasl_log] (0x4000): SASL: GSSAPI client step 1
(2022-11-17 18:29:11): [be[example.com]] [sdap_ldap_connect_callback_add] (0x4000): New connection to [ldap://ladc.example.com/DC=ladc,DC=example,DC=com] with fd [30]
(2022-11-17 18:29:11): [be[example.com]] [ad_sasl_log] (0x4000): SASL: GSSAPI client step 1
(2022-11-17 18:29:11): [be[example.com]] [ad_sasl_log] (0x4000): SASL: GSSAPI client step 1
(2022-11-17 18:29:11): [be[example.com]] [sdap_ldap_connect_callback_add] (0x4000): New connection to [ldap://adt01.example.com/DC=adt01,DC=example,DC=com] with fd [31] <--
(2022-11-17 18:29:11): [be[example.com]] [ad_sasl_log] (0x4000): SASL: GSSAPI client step 1
(2022-11-17 18:29:11): [be[example.com]] [ad_sasl_log] (0x4000): SASL: GSSAPI client step 1
(2022-11-17 18:29:11): [be[example.com]] [ad_sasl_log] (0x4000): SASL: GSSAPI client step 1
(2022-11-17 18:29:11): [be[example.com]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: An invalid name was supplied (Success) <--
(2022-11-17 18:29:11): [be[example.com]] [sdap_rebind_proc] (0x0020): ldap_sasl_interactive_bind_s failed (-2)[Local error] <---
(2022-11-17 18:29:11): [be[example.com]] [sdap_rebind_proc] (0x1000): Failed to bind to [ldap://adt01.example.com/DC=adt01,DC=example,DC=com].
(2022-11-17 18:29:11): [be[example.com]] [sdap_ldap_connect_callback_del] (0x4000): Closing LDAP connection with fd [31].
(2022-11-17 18:29:11): [be[example.com]] [ad_sasl_log] (0x4000): SASL: GSSAPI client step 1
(2022-11-17 18:29:11): [be[example.com]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: An invalid name was supplied (Success)
(2022-11-17 18:29:11): [be[example.com]] [sdap_rebind_proc] (0x0020): ldap_sasl_interactive_bind_s failed (-2)[Local error]
(2022-11-17 18:29:11): [be[example.com]] [sdap_rebind_proc] (0x1000): Failed to bind to [ldap://dc.example.com/DC=ladc,DC=example,DC=com].
(2022-11-17 18:29:11): [be[example.com]] [sdap_ldap_connect_callback_del] (0x4000): Closing LDAP connection with fd [30].
----

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:

Expected results:

Additional info:
@sumit-bose
Copy link
Contributor Author

Bugzilla Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2170484

@sumit-bose sumit-bose self-assigned this Mar 13, 2023
sumit-bose added a commit to sumit-bose/sssd that referenced this issue Mar 13, 2023
@sumit-bose
ad: skip filtering if ad_enabled_domains is set
baf7fe7 
The domain filtering based on LDAP attributes might be too strict in
forests which have a long and complex history where not all attributes
might be updated to reflect the current state, e.g. membership to the
local forest. To skip the filtering the ad_enabled_domains attribute can
be set to the list of expected domains.

Resolves: SSSD#6626
@sumit-bose sumit-bose mentioned this issue Mar 13, 2023
Closed
sumit-bose added a commit to sumit-bose/sssd that referenced this issue Apr 21, 2023
@sumit-bose
ad: skip filtering if ad_enabled_domains is set
dffd540 
The domain filtering based on LDAP attributes might be too strict in
forests which have a long and complex history where not all attributes
might be updated to reflect the current state, e.g. membership to the
local forest. To skip the filtering the ad_enabled_domains attribute can
be set to the list of expected domains.

Resolves: SSSD#6626
sumit-bose added a commit to sumit-bose/sssd that referenced this issue Apr 24, 2023
@sumit-bose
ad: skip filtering if ad_enabled_domains is set
b2b69d8 
The domain filtering based on LDAP attributes might be too strict in
forests which have a long and complex history where not all attributes
might be updated to reflect the current state, e.g. membership to the
local forest. To skip the filtering the ad_enabled_domains attribute can
be set to the list of expected domains.

Resolves: SSSD#6626
@pbrezina
Copy link
Member

Pushed PR: #6627

  • master
    • 1bf4751 - tests: fix typo in ldapi test
    • 9358a74 - ad: skip filtering if ad_enabled_domains is set

@pbrezina pbrezina added the Closed: Fixed Issue was closed as fixed. label Apr 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sumit-bose sumit-bose

Labels
Bugzilla Closed: Fixed Issue was closed as fixed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ad: skip filtering if ad_enabled_domains is set sumit-bose/sssd
3 participants
@sumit-bose @pbrezina @alexey-tikhonov