Hello Community,
We recently updated ipa-server and a bunch of related packages from 4.6.8-5.el7.centos.11
to 4.6.8-5.el7.centos.12. This also updated the IPA data. After that, the clients are
unable to retrieve group information. However, they can load SSH public keys and other
user details fine. When I query the FreeIPA server using ipa and ldapsearch against a
user, I see all group memberships. So, the data on the FreeIPA server seems fine, but only
how SSSD talks to FreeIPA has changed.
On the clients, there were no changes, and I tried all combinations of ldap_schema
(rfc2307, rfc2307bis, ipa) and ldap_group_member (memberUid, uniqueMember) every time,
removing the cache and restarting SSSD. However, I don't see any change when I run id
<username> or getent group <group>. They return the user id and primary group;
group and gid. I also tried to add initgroups sss files in /etc/nsswitch.conf, but that
didn't make a difference.
I tried to revert the packages on the server, but it failed to say data schema is
incompatible. So, the current status is our users can SSH to the instances but can't
sudo as group information is missing.
Since it seems like an issue with SSSD, I raised an issue with SSSD last week:
https://github.com/SSSD/sssd/issues/6443. I'm reaching out here hoping someone might
have resolved this as an upgrade of the FreeIPA server that triggered this. Please let me
know if you've any questions.
Additional details:
==============
On client:
=======
id
uid=1987401269(user_name) gid=1987401269(user_name) groups=1987401269(user_name)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
getent group sudo
sudo:*:27:
On FreeIPA server:
==============
id
uid=1987401269(user_name) gid=1987401269(user_name)
groups=1987401269(user_name),27(sudo),1987400000(group1),1987400473(group2),1987401284(group3),
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
ipa user-show --all --raw user_name
dn: uid=user_name,cn=users,cn=accounts,dc=REDACTED,dc=com
REDACTED
ipaSshPubKey: REDACTED
..
memberof: cn=group1,cn=groups,cn=accounts,dc=REDACTED,dc=com
memberof: cn=greoup2,cn=groups,cn=accounts,dc=REDACTED,dc=com
memberof: cn=sudo,cn=groups,cn=accounts,dc=REDACTED,dc=com
memberof: cn=group3,cn=groups,cn=accounts,dc=REDACTED,dc=com
..
ldapsearch -Y GSSAPI -b
'uid=<user_name>,cn=users,cn=accounts,dc=REDACTED,dc=com'
Shows output similar to above.
I enabled debug logs(debug_level=6) on the SSSD client for all nss, pam and be calls to
see if there are any issues, but I didn't find anything obvious. I thought it is not
very useful to share it here, but I'm sharing the relevant commands SSSD initiates to
the FreeIPA server.
(2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_initgr_rfc2307_next_base] (0x0400):
Searching for groups with base [dc=REDACTED,dc=com]
(2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_get_generic_ext_step] (0x0400): calling
ldap_search_ext with
[(&(memberUid=<user_name>)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=REDACTED,dc=com].
(2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_get_generic_op_finished] (0x0400): Search
result: Success(0), no errmsg set
and
(2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_get_groups_next_base] (0x0400): Searching
for groups with base [dc=REDACTED,dc=com]
(2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_get_generic_ext_step] (0x0400): calling
ldap_search_ext with
[(&(gidNumber=<gid_name>)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=REDACTED,dc=com].
(2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_get_generic_op_finished] (0x0400): Search
result: Success(0), no errmsg set
(2022-11-18 10:00:29): [be[REDACTED.com]] [sdap_get_groups_process] (0x0400): Search for
groups, returned 1 results.
More details below
FreeIPA server OS details
==================
cat /etc/*release*
CentOS Linux release 7.9.2009 (Core)
Derived from Red Hat Enterprise Linux 7.9 (Source)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
CentOS Linux release 7.9.2009 (Core)
CentOS Linux release 7.9.2009 (Core)
cpe:/o:centos:centos:7
Relevant upgrade logs on the FreeIPA server
=========================
---> Package ipa-client.x86_64 0:4.6.8-5.el7.centos.11 will be updated
---> Package ipa-client.x86_64 0:4.6.8-5.el7.centos.12 will be an update
---> Package ipa-client-common.noarch 0:4.6.8-5.el7.centos.11 will be updated
---> Package ipa-client-common.noarch 0:4.6.8-5.el7.centos.12 will be an update
---> Package ipa-common.noarch 0:4.6.8-5.el7.centos.11 will be updated
---> Package ipa-common.noarch 0:4.6.8-5.el7.centos.12 will be an update
---> Package ipa-python-compat.noarch 0:4.6.8-5.el7.centos.11 will be updated
---> Package ipa-python-compat.noarch 0:4.6.8-5.el7.centos.12 will be an update
---> Package ipa-server.x86_64 0:4.6.8-5.el7.centos.11 will be updated
---> Package ipa-server.x86_64 0:4.6.8-5.el7.centos.12 will be an update
---> Package ipa-server-common.noarch 0:4.6.8-5.el7.centos.11 will be updated
---> Package ipa-server-common.noarch 0:4.6.8-5.el7.centos.12 will be an update
---> Package python2-ipaclient.noarch 0:4.6.8-5.el7.centos.11 will be updated
---> Package python2-ipaclient.noarch 0:4.6.8-5.el7.centos.12 will be an update
---> Package python2-ipalib.noarch 0:4.6.8-5.el7.centos.11 will be updated
---> Package python2-ipalib.noarch 0:4.6.8-5.el7.centos.12 will be an update
---> Package python2-ipaserver.noarch 0:4.6.8-5.el7.centos.11 will be updated
---> Package python2-ipaserver.noarch 0:4.6.8-5.el7.centos.12 will be an update
Client OS and sssd versions
=====================
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3⭕amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
Amazon Linux release 2 (Karoo)
cpe:2.3⭕amazon:amazon_linux:2
yum list installed|grep sssd
python-sssdconfig.noarch 1.16.5-10.amzn2.10 @amzn2-core
sssd.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd-ad.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd-client.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd-common.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd-common-pac.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd-ipa.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd-krb5.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd-krb5-common.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd-ldap.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd-proxy.x86_64 1.16.5-10.amzn2.10 @amzn2-core
sssd.conf on Client
================
[domain/REDACTED]
ldap_search_base = cn=users,cn=accounts,dc=REDACTED,dc=com
cache_credentials = true
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri =
ldaps://freeipa.REDACTED.com,ldaps://ipa-slave.REDACTED.com
ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
ldap_schema = rfc2307
ldap_user_ssh_public_key = ipaSshPubKey
ldap_group_search_base = dc=REDACTED,dc=com
ldap_page_size = 1900
group_name_attribute = cn
ldap_group_member = memberUid
group_class = posixGroup
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, ssh, sudo
domains =
REDACTED.com
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
homedir_substring = /home
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
[ssh]
Thanks,
Krishna.