-
Bug
-
Resolution: Unresolved
-
Undefined
-
rhel-8.10
-
sssd-2.9.4-1.el8
-
sst_idm_sssd
-
ssg_idm
-
20
-
21
-
False
-
-
Red Hat Enterprise Linux
-
-
Unspecified
What were you trying to do that didn't work?
It took about 1 minutes to resolve trusted AD users in IdM client, which prevent them from login before the users are resolved.
While IPA server have no problem resolving the users, yet the user private groups did not exist in the SSSD cache, which may cause IPA client failed to get the user private group from IPA server, thus IPA client has to query and cache the group itself, causing delay.
% ipa idrange-find
Range name: AD.EXAMPLE.COM_id_range
First Posix ID of the range: 100000
Number of IDs in the range: 200000
...
Range type: Active Directory trust range with POSIX attributes
Auto private groups: hybrid
AD users have following POSIX attribute
uidNumber: 2000
gidNumber: 2000
However, there are no AD group that has gidNumber: 2000
Please provide the package NVR for which bug is seen:
sssd-2.8.2-3.el8_8
ipa-client-4.9.11-5.module+el8.8.0+18146+a1d8660b.x86_64
ipa-server-4.9.11-5.module+el8.8.0+18146+a1d8660b.x86_64
How reproducible:
Always
Steps to reproduce
- On IPA server
systemctl stop sssd; rm -fr /var/lib/sss/ {db,mc}/*; systemctl start sssd
- id aduser
- ldbsearch -H /var/lib/sss/db/cache_idm.example.com name=aduser@ad.example.com
Expected results
group aduser@ad.example.com should appear in SSSD cache
Actual results
group aduser@ad.example.com did not appear in SSSD cache
- links to
-
RHBA-2023:121691
sssd bug fix and enhancement update
- mentioned on
