Hi,
I'm trying to setup sssd (sssd-1.8.0-32) on CentOS release 6.3. We have some users whose uidnumber or gidnumber is equal to 0 in our LDAP. I set min_id to 0 in the domain section but these users are filtered out :
(Thu Nov 29 17:23:02 2012) [sssd[be[LDAP]]] [sdap_save_user] (0x0040): User [root-rdm] filtered out! (id out of range) (Thu Nov 29 17:23:02 2012) [sssd[be[LDAP]]] [sdap_save_user] (0x0040): Failed to save user [root-rdm] (Thu Nov 29 17:23:02 2012) [sssd[be[LDAP]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
Am I missing something ?
On Fri, Nov 30, 2012 at 10:29:04AM +0100, Christian Claveleira wrote:
Hi,
I'm trying to setup sssd (sssd-1.8.0-32) on CentOS release 6.3. We have some users whose uidnumber or gidnumber is equal to 0 in our LDAP. I set min_id to 0 in the domain section but these users are filtered out :
(Thu Nov 29 17:23:02 2012) [sssd[be[LDAP]]] [sdap_save_user] (0x0040): User [root-rdm] filtered out! (id out of range) (Thu Nov 29 17:23:02 2012) [sssd[be[LDAP]]] [sdap_save_user] (0x0040): Failed to save user [root-rdm] (Thu Nov 29 17:23:02 2012) [sssd[be[LDAP]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
Am I missing something ?
UIDs and GIDs equal to 0 are always filtered out for security reasons independent of the settings of min_id. I think the sssd.conf man page is not very clear about this, maybe would should add a paragraph about it.
HTH
bye, Sumit
--
CC _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Fri, Nov 30, 2012 at 11:06:26AM +0100, Sumit Bose wrote:
On Fri, Nov 30, 2012 at 10:29:04AM +0100, Christian Claveleira wrote:
Hi,
I'm trying to setup sssd (sssd-1.8.0-32) on CentOS release 6.3. We have some users whose uidnumber or gidnumber is equal to 0 in our LDAP. I set min_id to 0 in the domain section but these users are filtered out :
(Thu Nov 29 17:23:02 2012) [sssd[be[LDAP]]] [sdap_save_user] (0x0040): User [root-rdm] filtered out! (id out of range) (Thu Nov 29 17:23:02 2012) [sssd[be[LDAP]]] [sdap_save_user] (0x0040): Failed to save user [root-rdm] (Thu Nov 29 17:23:02 2012) [sssd[be[LDAP]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
Am I missing something ?
UIDs and GIDs equal to 0 are always filtered out for security reasons independent of the settings of min_id. I think the sssd.conf man page is not very clear about this, maybe would should add a paragraph about it.
HTH
On Fri, 2012-11-30 at 10:29 +0100, Christian Claveleira wrote:
Hi,
I'm trying to setup sssd (sssd-1.8.0-32) on CentOS release 6.3. We have some users whose uidnumber or gidnumber is equal to 0 in our LDAP. I set min_id to 0 in the domain section but these users are filtered out :
(Thu Nov 29 17:23:02 2012) [sssd[be[LDAP]]] [sdap_save_user] (0x0040): User [root-rdm] filtered out! (id out of range) (Thu Nov 29 17:23:02 2012) [sssd[be[LDAP]]] [sdap_save_user] (0x0040): Failed to save user [root-rdm] (Thu Nov 29 17:23:02 2012) [sssd[be[LDAP]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
Am I missing something ?
Sorry Christian, the minimum uid or gid number SSSD can handle is 1, this is structural and the value 0 internally is used to indicate the uidnumber is invalid, so it is not possible to change it at this moment. This was done on purpose as we do not want to allow to serve 'root' out of SSSD.
Simo.
Simo Sorce a écrit, le 30/11/12 14:27:
On Fri, 2012-11-30 at 10:29 +0100, Christian Claveleira wrote:
Hi,
I'm trying to setup sssd (sssd-1.8.0-32) on CentOS release 6.3. We have some users whose uidnumber or gidnumber is equal to 0 in our LDAP. I set min_id to 0 in the domain section but these users are filtered out :
(Thu Nov 29 17:23:02 2012) [sssd[be[LDAP]]] [sdap_save_user] (0x0040): User [root-rdm] filtered out! (id out of range) (Thu Nov 29 17:23:02 2012) [sssd[be[LDAP]]] [sdap_save_user] (0x0040): Failed to save user [root-rdm] (Thu Nov 29 17:23:02 2012) [sssd[be[LDAP]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
Am I missing something ?
Sorry Christian, the minimum uid or gid number SSSD can handle is 1, this is structural and the value 0 internally is used to indicate the uidnumber is invalid, so it is not possible to change it at this moment. This was done on purpose as we do not want to allow to serve 'root' out of SSSD.
Simo.
Ok, so it's a feature, not a bug ;-)
I agree the doc should be more explicit.
sssd-users@lists.fedorahosted.org