You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ticket was cloned from Red Hat Bugzilla: Bug 1530741
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem:
I am unsure if this is a IPA, SSSD, or documentation bug but in an IPA - AD
Trust environment disabling a trusted AD domain with 'ipa trustdomain-disable'
does not prevent trusted AD users from logging in with SSSD.
If this is expected behavior, please clarify the use of 'ipa
trustdomain-disable' for Red Hat customers. From the ipa help, it is not
exactly clear what this means - 'Disable use of IPA resources by the domain of
the trust'
Also, ideally SSSD would ignore these disabled domains to improve non-cached
lookup speed/performance of AD objects in environments with many domains.
The current behavior end-result is that customers are disabling domains they do
not need to resolve AD objects from, but it is not making any noticeable
changes unless the trusted domains are removed completely with 'ipa
trustdomain-del'.
Version-Release number of selected component (if applicable):
IPA Server 4.5
SSSD 1.15
How reproducible:
Always
Steps to Reproduce:
1. Disable trusted AD domain with ipa trustdomain-disable
2. Restart SSSD and clear SSSD cache
3. Attempt to login with trusted AD domain user
Actual results:
Login succeeds
Expected results:
Would expect login to fail
Additional info:
This impacts customers establishing IPA - AD trusts with AD forest root
containing a large number of domains
This commit introduces coverity error (compiler warning):
Error: COMPILER_WARNING:
sssd-2.2.3/src/providers/ipa/ipa_s2n_exop.c: scope_hint: In function 's2n_response_to_attrs'
sssd-2.2.3/src/providers/ipa/ipa_s2n_exop.c:665:20: warning: 'gc' may be used uninitialized in this function [-Wmaybe-uninitialized]
# attrs->ngroups = gc;
# ~~~~~~~~~~~~~~~^~~~
sssd-2.2.3/src/providers/ipa/ipa_s2n_exop.c:566:15: note: 'gc' was declared here
# size_t c, gc;
# ^~
# 663| }
# 664| }
# 665|-> attrs->ngroups = gc;
# 666|
# 667| tag = ber_peek_tag(ber, &ber_len);
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/4078
Ticket was cloned from Red Hat Bugzilla: Bug 1530741
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Comments
Comment from sbose at 2019-09-05 11:59:00
Metadata Update from @sbose:
Comment from sbose at 2019-09-05 11:59:19
Metadata Update from @sbose:
Comment from sbose at 2019-09-13 10:50:41
PR: SSSD/sssd#884
Comment from sbose at 2019-09-13 10:50:59
Metadata Update from @sbose:
Comment from sbose at 2019-09-20 10:29:14
Commit fa3e53bb relates to this ticket
Comment from sbose at 2019-09-20 10:29:15
Commit b12e7a49 relates to this ticket
Comment from sbose at 2019-09-20 10:29:15
Commit 13297b8a relates to this ticket
Comment from sbose at 2019-09-20 10:29:15
Commit 3c871a3f relates to this ticket
Comment from sbose at 2019-09-20 10:29:16
Commit 2e161487 relates to this ticket
Comment from sbose at 2019-09-20 10:30:40
master
sssd-1-16
Comment from sbose at 2019-09-20 10:30:40
Metadata Update from @pbrezina:
Comment from sbose at 2019-09-20 13:27:41
This commit introduces coverity error (compiler warning):
Comment from sbose at 2019-09-20 13:27:41
Metadata Update from @atikhonov:
Comment from sbose at 2019-09-20 13:48:45
@atikhonov, thanks, would you like to send a PR to fix this?
Comment from sbose at 2019-09-20 15:08:31
ok, I will.
Comment from sbose at 2019-09-20 16:33:17
PR: SSSD/sssd#890
Comment from sbose at 2019-09-26 10:40:09
Commit 39e16cca relates to this ticket
Comment from sbose at 2019-09-26 10:43:39
master
sssd-1-16
Comment from sbose at 2019-09-26 10:43:39
Metadata Update from @pbrezina:
The text was updated successfully, but these errors were encountered: