Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1066096

Summary: not retrieving homedirs of AD users with posix attributes
Product: Red Hat Enterprise Linux 7 Reporter: Pavel Reichl <preichl>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED CURRENTRELEASE QA Contact: Kaushik Banerjee <kbanerje>
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.0CC: dpal, grajaiya, jagee, jgalipea, jhrozek, lslebodn, mkosek, pbrezina, preichl
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.11.2-58.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:51:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 1073810    

Description Pavel Reichl 2014-02-17 16:41:51 UTC
Description of problem:

While checking my AD-client environment I noticed that homedirs from AD
users having posix attributes were not retrieved while on previous
version of SSSD with the same configuration file they were retrieved. 

This can be solved by setting 'ldap_id_mapping = false' in sssd.conf
 
I'm not implying this is a bug I'm just saying we may consider informing
users rather loudly.

Comment 2 Jakub Hrozek 2014-02-20 09:47:45 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2251

Comment 3 Jakub Hrozek 2014-02-27 13:26:11 UTC
We agreed that the behaviour in RHEL6 was more correct. Moving to RHEL7 and setting Regression keyword

Comment 5 Jakub Hrozek 2014-03-11 18:43:54 UTC
Fixed upstream:
    master: bb8a08118db0916bf8252a9481c16271ec20acd3
    sssd-1-11: fe2bbd629a72c786d6125066e5bb75005f4cccc7

Comment 7 Jeremy Agee 2014-03-19 15:40:18 UTC
Jakub would you prefer to treat this BZ as a failed QE or would you rather verify this BZ and open a new BZ for the forest users in this situation?

On each user in AD has the following attributes set. These attributes are not replicated to the global catalog.
    unixHomeDirectory: /home2/{DOMAIN}/posixuser1_dom{1,2,3}
    loginShell: /bin/ksh

test client is joined to the root of the forest.
   [domain/sssdad.com]
    id_provider = ad
    access_provider = ad
    ad_domain = adserver.sssdad.com
    krb5_realm = SSSDAD.COM
    use_fully_qualified_names = True
    ldap_id_mapping = True

the root domain user is correct but child and second tree domain are not using there ldap attributes.
posixuser1_dom1@sssdad.com:*:498201554:498200513:posixuser1_dom1:/home2/sssdad.com/posixuser1_dom1:/bin/ksh
posixuser1_dom2@sssdad_tree.com:*:525401432:525401432:posixuser1_dom2:/:
posixuser1_dom3@child1.sssdad.com:*:1184401422:1184401422:posixuser1_dom3:/:

the following settings are added after the first set of checks.
    default_shell = /bin/bash
    fallback_homedir = /home/%d/%u

the root domain user is correct but child and second tree domain are using the default_shell and fallback_homedir compared to there ldap attributes.
posixuser1_dom1@sssdad.com:*:498201554:498200513:posixuser1_dom1:/home2/sssdad.com/posixuser1_dom1:/bin/ksh
posixuser1_dom2@sssdad_tree.com:*:525401432:525401432:posixuser1_dom2:/home/sssdad_tree.com/posixuser1_dom2:/bin/bash
posixuser1_dom3@child1.sssdad.com:*:1184401422:1184401422:posixuser1_dom3:/home/child1.sssdad.com/posixuser1_dom3:/bin/bash

automation test created.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_07: bz 1066096 not retrieving homedirs of AD users with posix attributes
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: checking homedir for posixuser1_dom1@sssdad.com (Assert: /home2/sssdad.com/posixuser1_dom1 should equal /home2/sssdad.com/posixuser1_dom1)
:: [   PASS   ] :: checking shell for posixuser1_dom1@sssdad.com (Assert: /bin/ksh should equal /bin/ksh)
:: [   FAIL   ] :: checking homedir for posixuser1_dom2@sssdad_tree.com (Assert: / should equal /home2/sssdad_tree.com/posixuser1_dom2)
:: [   FAIL   ] :: rlAssertEquals called without all needed parameters 
:: [   FAIL   ] :: checking homedir for posixuser1_dom3@child1.sssdad.com (Assert: / should equal /home2/child1.sssdad.com/posixuser1_dom3)
:: [   FAIL   ] :: rlAssertEquals called without all needed parameters 
:: [   PASS   ] :: checking homedir with fallback_homedir for posixuser1_dom1@sssdad.com (Assert: /home2/sssdad.com/posixuser1_dom1 should equal /home2/sssdad.com/posixuser1_dom1)
:: [   PASS   ] :: checking shell with default_shell for posixuser1_dom1@sssdad.com (Assert: /bin/ksh should equal /bin/ksh)
:: [   FAIL   ] :: checking homedir with fallback_homedir for posixuser1_dom2@sssdad_tree.com (Assert: /home/sssdad_tree.com/posixuser1_dom2 should equal /home2/sssdad_tree.com/posixuser1_dom2)
:: [   FAIL   ] :: checking shell with default_shell for posixuser1_dom2@sssdad_tree.com (Assert: /bin/bash should equal /bin/ksh)
:: [   FAIL   ] :: checking homedir with fallback_homedir for posixuser1_dom3@child1.sssdad.com (Assert: /home/child1.sssdad.com/posixuser1_dom3 should equal /home2/child1.sssdad.com/posixuser1_dom3)
:: [   FAIL   ] :: checking shell with default_shell for posixuser1_dom3@child1.sssdad.com (Assert: /bin/bash should equal /bin/ksh)
:: [   LOG    ] :: Duration: 36s
:: [   LOG    ] :: Assertions: 4 good, 8 bad
:: [   FAIL   ] :: RESULT: ad_forest_07: bz 1066096 not retrieving homedirs of AD users with posix attributes

Comment 8 Jakub Hrozek 2014-03-19 16:36:57 UTC
(In reply to Jeremy Agee from comment #7)
> Jakub would you prefer to treat this BZ as a failed QE or would you rather
> verify this BZ and open a new BZ for the forest users in this situation?
> 
> On each user in AD has the following attributes set. These attributes are
> not replicated to the global catalog.
>     unixHomeDirectory: /home2/{DOMAIN}/posixuser1_dom{1,2,3}
>     loginShell: /bin/ksh

In this case, I think the behaviour is expected. By default, SSSD still connects to GC for subdomain users.

For this use-case, I would suggest to try "ad_enable_gc = False" which should force sssd to connect to the LDAP port of the subdomain DC at the expense of opening multiple connections.

Comment 9 Jeremy Agee 2014-03-19 17:21:38 UTC
Thanks for the extra info Jakub, the "ad_enable_gc = False" setting was the issue.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_07: bz 1066096 not retrieving homedirs of AD users with posix attributes
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: checking homedir for posixuser1_dom1@sssdad.com (Assert: /home2/sssdad.com/posixuser1_dom1 should equal /home2/sssdad.com/posixuser1_dom1)
:: [   PASS   ] :: checking shell for posixuser1_dom1@sssdad.com (Assert: /bin/ksh should equal /bin/ksh)
:: [   PASS   ] :: checking homedir for posixuser1_dom2@sssdad_tree.com (Assert: /home2/sssdad_tree.com/posixuser1_dom2 should equal /home2/sssdad_tree.com/posixuser1_dom2)
:: [   PASS   ] :: checking shell for posixuser1_dom2@sssdad_tree.com (Assert: /bin/ksh should equal /bin/ksh)
:: [   PASS   ] :: checking homedir for posixuser1_dom3@child1.sssdad.com (Assert: /home2/child1.sssdad.com/posixuser1_dom3 should equal /home2/child1.sssdad.com/posixuser1_dom3)
:: [   PASS   ] :: checking shell for posixuser1_dom3@child1.sssdad.com (Assert: /bin/ksh should equal /bin/ksh)
:: [   PASS   ] :: checking homedir with fallback_homedir for posixuser1_dom1@sssdad.com (Assert: /home2/sssdad.com/posixuser1_dom1 should equal /home2/sssdad.com/posixuser1_dom1)
:: [   PASS   ] :: checking shell with default_shell for posixuser1_dom1@sssdad.com (Assert: /bin/ksh should equal /bin/ksh)
:: [   PASS   ] :: checking homedir with fallback_homedir for posixuser1_dom2@sssdad_tree.com (Assert: /home2/sssdad_tree.com/posixuser1_dom2 should equal /home2/sssdad_tree.com/posixuser1_dom2)
:: [   PASS   ] :: checking shell with default_shell for posixuser1_dom2@sssdad_tree.com (Assert: /bin/ksh should equal /bin/ksh)
:: [   PASS   ] :: checking homedir with fallback_homedir for posixuser1_dom3@child1.sssdad.com (Assert: /home2/child1.sssdad.com/posixuser1_dom3 should equal /home2/child1.sssdad.com/posixuser1_dom3)
:: [   PASS   ] :: checking shell with default_shell for posixuser1_dom3@child1.sssdad.com (Assert: /bin/ksh should equal /bin/ksh)
:: [   LOG    ] :: Duration: 42s
:: [   LOG    ] :: Assertions: 12 good, 0 bad
:: [   PASS   ] :: RESULT: ad_forest_07: bz 1066096 not retrieving homedirs of AD users with posix attributes

Comment 10 Ludek Smid 2014-06-13 11:51:16 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.