Bug 1002597

Summary:	ad: unable to resolve membership when user is from different domain than group
Product:	Red Hat Enterprise Linux 7	Reporter:	Dmitri Pal <dpal>
Component:	sssd	Assignee:	Jakub Hrozek <jhrozek>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Kaushik Banerjee <kbanerje>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.0	CC:	grajaiya, jgalipea, lslebodn, mkosek, pbrezina
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	sssd-1.11.2-1.el7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-06-13 12:13:00 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Dmitri Pal 2013-08-29 13:51:32 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2064

I have the following configuration of active directory forest:

{{{
ad.pb (root domain) <-- (transitive trust) --> sub.ad.pb (child domain)

ChildUsers (universal group in ad.pb) contains
subaduser.pb (user from child domain)
}}}

SSSD is not able to resolve this membership. It probably tries to search subaduser in ad.pb LDAP instead of Global Catalog.


{{{
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-3940105347-3434501867-2690409756-1110)(objectclass=group)(name=*))][DC=ad,DC=pb].
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results.
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb].
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_done] (0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-03100742, data 0, 1 access points
	ref 1: 'sub.ad.pb'

(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Referral(10), 0000202B: RefErr: DSID-03100742, data 0, 1 access points
	ref 1: 'sub.ad.pb'

(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_nested_group_single_step_done] (0x0020): Error processing direct membership [5]: Input/output error
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_nested_done] (0x0020): Nested group processing failed: [5][Input/output error]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_id_op_done] (0x0200): communication error on cached connection, moving to next server
}}}

Comment 1 Jakub Hrozek 2013-08-29 17:22:17 UTC

We know the root cause -> ASSIGNED

Comment 2 Jakub Hrozek 2013-10-30 22:08:30 UTC

sssd-1-11:
    90fffc3ac673b5d030189e050ca2955f0ef2a429
    fc2dca9b7009885e1ceda8ab1df57c8e98f4f2b0
    d1fd7269420dfdb46cf60e138af6ba051e5ef3bb
    3d82882a2f0bc833278709b3c56d34337d151d58
    4b868a12602c9588f7beef6664c97b40cf83acf8
    a2c1db6b43374e7811bcf12d4b90640b96e695f2
    7cf785f9326a32afd0a52117f89d854244b1ce40 
master:
    55206e06bcfa0322cd817d34457e330545d6b877
    05f6866b89f790e25510b7eeca88ded617294011
    b6a867be96dbe802c8dc8a9ce635040ecf77b56f
    85eb8a5e98e208393b205615e3895a64905eacf2
    d81ce5550ba1fdebd958483d7322052c8b39c33b
    c704c35ae7ab3861c78371437e3a9ed06ba93d8b
    76da70d5a5b5b05b926840d7692a31915d3ca8eb

Comment 4 Kaushik Banerjee 2014-01-13 11:59:23 UTC

Verified in version 1.11.2-23.el7

Report from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_02: bz 1002597 User and group memberships from different domains
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'getent group group2_dom2 | grep user1_dom2 | grep user2_dom1 | grep user2_dom3' (Expected 0, got 0)
:: [   PASS   ] :: Running 'id user3_dom3.com | grep group3_dom3 | grep group3_dom2 | grep group3_dom1' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 2m 2s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: ad_forest_02: User and group memberships from different domains

Comment 5 Ludek Smid 2014-06-13 12:13:00 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.