Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-111571

'sssctl config-check' does not work correctly for "Accessing AD with a MSA"

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-8.10, rhel-9.6, rhel-10.0
    • sssd
    • None
    • No
    • None
    • rhel-idm
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      The recommended SSSD configuration for "MSA corresponding to an AD domain from the local forest" fails a check by 'sssctl config-check'.

      [Configuring a Managed Service Account for a RHEL host

      Configuration snippet:

      domain/[ad.example.com/production.example.com
      ldap_sasl_authid = CLIENT!S3A$@PRODUCTION.EXAMPLE.COM
      ldap_krb5_keytab = /etc/krb5.keytab.production.example.com
      krb5_keytab = /etc/krb5.keytab.production.example.com
      ad_domain = production.example.com
      krb5_realm = PRODUCTION.EXAMPLE.COM
      access_provider = ad

      Configuration check:

      [root@node-0 ~]# sssctl config-check -c ./sssd.conf 
      Issues identified by validators: 6
      [rule/allowed_subdomain_options]: Attribute 'ldap_sasl_authid' is not allowed in section 'domain/ad.example.com/production.example.com'. Check for typos.
      [rule/allowed_subdomain_options]: Attribute 'ldap_krb5_keytab' is not allowed in section 'domain/ad.example.com/production.example.com'. Check for typos.
      [rule/allowed_subdomain_options]: Attribute 'krb5_keytab' is not allowed in section 'domain/ad.example.com/production.example.com'. Check for typos.
      [rule/allowed_subdomain_options]: Attribute 'ad_domain' is not allowed in section 'domain/ad.example.com/production.example.com'. Check for typos.
      [rule/allowed_subdomain_options]: Attribute 'krb5_realm' is not allowed in section 'domain/ad.example.com/production.example.com'. Check for typos.
      [rule/allowed_subdomain_options]: Attribute 'access_provider' is not allowed in section 'domain/ad.example.com/production.example.com'. Check for typos.

      What is the impact of this issue to you?

      The 'sssctl config-check' gives incorrect information for this use-case.

      Please provide the package NVR for which the bug is seen:

      sssd-tools-2.9.4-5.el8_10.2.x86_64

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Add the subdomain section for "AD domain from the local forest" to sssd.conf
      2. Run the 'sssctl config-check' command on the configuration file

      Expected results

      The required/recommended settings should pass the check.

      Actual results

      The required/recommended settings are reported as errors.

              thalman@redhat.com Tomas Halman
              rhn-support-rlundgren Runar Lundgren
              SSSD Maintainers SSSD Maintainers
              SSSD QE SSSD QE
              inactive-user inactive-user
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated: