Bug 1030699

Alexander, isn't this behavior intended? I.e. one cannot see all groups of an AD user until he logs in to the machine (and thus groups can be read from ms-pac)?

Yes, unless MS-PAC is seen upon logon, full list of groups is not available on client, we don't do initgroups() call over extdom.

In IPA server mode SSSD has to resolve all groups for legacy clients support, thus IPA masters always have initgroups() correctly populated.

We are discussing whether it makes sense to expand initgroups() to go over extdom. Sumit will have more details.

Adding Sumit to CC to advise.

As Alexander said this is intended behavior.

Imo the needed changes to support initgroups over extdom are out of scope for RHEL7. I would suggest to rename this ticket and move it as an RFE to RHEL-7.1.

Ok, makes sense - renaming the ticket.

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4031

Might have to be back ported to 6 & 7.

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/3c75b9171e5721097f6ba2855e41f0e4129b907b
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/2006d8759b767364031052480a3fc8947dea0998

I think I can verify this but, I need to confirm that "Domain Users" is special case and will not necessarily show up in lookups here?

MASTER:

[root@rhel7-1 systemd]# id 'ADROOT1\Aduser1'
uid=1108801104(aduser1.com) gid=1108801104(aduser1.com) groups=1108801104(aduser1.com),1108800513(domain users.com)

[root@rhel7-1 systemd]# id 'ADROOT1\bzuser1'
uid=1108801109(bzuser1.com) gid=1108801109(bzuser1.com) groups=1108801109(bzuser1.com),1108801112(bzgroup3.com),1108801110(bzgroup1.com),1108801111(bzgroup2.com),1108800513(domain users.com)


CLIENT:

[root@rhel7-2 ~]# id 'ADROOT1\Aduser1'
uid=1108801104(aduser1.com) gid=1108801104(aduser1.com) groups=1108801104(aduser1.com),1108800513(domain users.com)

[root@rhel7-2 ~]# id 'ADROOT1\bzuser1'
uid=1108801109(bzuser1.com) gid=1108801109(bzuser1.com) groups=1108801109(bzuser1.com),1108801112(bzgroup3.com),1108801110(bzgroup1.com),1108801111(bzgroup2.com)

On the client I see all the expected groups except for "Domain Users".  Is that still going to be the case with this change?

FYI, per previous expectations, I can see "Domain Users" after login:

[root@rhel7-2 ~]# ssh -l 'ADROOT1\bzuser1' $(hostname)
ADROOT1\bzuser1.example.com's password: 
Could not chdir to home directory /home/adroot1.example.com/bzuser1: No such file or directory

-sh-4.2$ id
uid=1108801109(bzuser1.com) gid=1108801109(bzuser1.com) groups=1108801109(bzuser1.com),1108800513(domain users.com),1108801110(bzgroup1.com),1108801111(bzgroup2.com),1108801112(bzgroup3.com) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.2$ exit
logout
Connection to rhel7-2.ipa1.example.com closed.

[root@rhel7-2 ~]# id 'ADROOT1\bzuser1'
uid=1108801109(bzuser1.com) gid=1108801109(bzuser1.com) groups=1108801109(bzuser1.com),1108801112(bzgroup3.com),1108801110(bzgroup1.com),1108801111(bzgroup2.com),1108800513(domain users.com)

So, is "Domain Users" group an exception to this change?

Whatever id returns on the server should be returned on the client as well. Can you retry with an empty cache on the client?

That was from a fresh install.  One of the first commands run after IPA installed and trust setup.

Is it possible that it's a first time lookup hiccup?  

I was able to rebuild my env and reproduce the problem.  Then I enabled sssd debug_level = 9.  After clearing cache and restarting, I'm now seeing "Domain Users" group.

I'll rebuild env and set sssd debugging before I test the first time to see if I can catch it there.

Created attachment 965173 [details]
sssd logs from id lookup missing domain users

Ok, see attachement sssd.logs.  This was after missing domain users from bzuser1 lookup:

[root@rhel7-2 bad]# id 'ADROOT1\bzuser1'
uid=1108801109(bzuser1.com) gid=1108801109(bzuser1.com) groups=1108801109(bzuser1.com),1108801112(bzgroup3.com),1108801110(bzgroup1.com),1108801111(bzgroup2.com)

Hi Scott, thank you for the logs, there is indeed an issue in the SSSD side which prevents to user to be added to the domain users group properly. I'll fix it.

SSSD ticket is https://fedorahosted.org/sssd/ticket/2529

Ok, does that need a separate bz created since it is a separate component?

I'm changing this one back to assigned until that issue is fixed and ready for QA.  If we do have a separate BZ for the sssd issue, I think that it should be tagged as blocking this one, right?  If not, will you just add sssd to the "Fixed in version" field?

Thanks

(In reply to Scott Poore from comment #20)
> Ok, does that need a separate bz created since it is a separate component?
> 
> I'm changing this one back to assigned until that issue is fixed and ready
> for QA.

Thank you there is a patch on the list already.

>  If we do have a separate BZ for the sssd issue, I think that it
> should be tagged as blocking this one, right?  If not, will you just add
> sssd to the "Fixed in version" field?

Since it's a bug in an acked feature, I think it's fine to re-use this bug.

No change is needed for IPA, this issue will be fixed by patch for Bug 1171383 and Bug 1171382.

SSSD bugs were fixed in sssd-1.12.2-38.el7, moving back to ON_QA.

Verified.

Version ::

ipa-client-4.1.0-13.el7.x86_64
sssd-1.12.2-39.el7.x86_64

Results ::

Again tested right after install/setup.

Server:

[root@rhel7-1 ~]# ipa trust-add adroot1.example.com --admin Administrator --range-type=ipa-ad-trust --password
Active Directory domain administrator's password: 
------------------------------------------------------------
Added Active Directory trust for realm "adroot1.example.com"
------------------------------------------------------------
  Realm name: adroot1.example.com
  Domain NetBIOS name: ADROOT1
  Domain Security Identifier: S-1-5-21-663451879-2037396169-3163888224
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4,
                          S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12,
                          S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4,
                          S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12,
                          S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@rhel7-1 ~]# id 'ADROOT1\bzuser1'
uid=1108801109(bzuser1.com) gid=1108801109(bzuser1.com) groups=1108801109(bzuser1.com),1108801112(bzgroup3.com),1108801110(bzgroup1.com),1108801111(bzgroup2.com),1108800513(domain users.com)

[root@rhel7-1 ~]# id 'ADROOT1\Aduser1'
uid=1108801104(aduser1.com) gid=1108801104(aduser1.com) groups=1108801104(aduser1.com),1108800513(domain users.com)

Client:

[root@rhel7-2 ~]# id 'ADROOT1\bzuser1'
id: ADROOT1\bzuser1: no such user

[root@rhel7-2 ~]# service sssd restart
Redirecting to /bin/systemctl restart  sssd.service

# restart above was necessary on client to pick up trust without natural timeout/update:

[root@rhel7-2 ~]# id 'ADROOT1\bzuser1'
uid=1108801109(bzuser1.com) gid=1108801109(bzuser1.com) groups=1108801109(bzuser1.com),1108801112(bzgroup3.com),1108801110(bzgroup1.com),1108801111(bzgroup2.com),1108800513(domain users.com)

[root@rhel7-2 ~]# id 'ADROOT1\Aduser1'
uid=1108801104(aduser1.com) gid=1108801104(aduser1.com) groups=1108801104(aduser1.com),1108800513(domain users.com)

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html