Bug 1077328
| Summary: | other subdomains are unavailable when joined to a subdomain in the ad forest | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jeremy Agee <jagee> | ||||
| Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Kaushik Banerjee <kbanerje> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 7.0 | CC: | dpal, enewland, grajaiya, jgalipea, kbanerje, lslebodn, mkosek, pbrezina, preichl | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | sssd-1.11.2-64.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-06-13 10:45:44 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Thank you for reporting this bug, I was able to reproduce it with Jeremy's help. I'm not 100% sure about the fix yet and I'd like to discuss it with the other developers, but in short, I think we should connect to the forest root in order to download the full list of domains. There is a catch with our current implementation of SRV resolution, which doesn't allow changing the domain on the fly (first for forest root, then for domain we're enrolled with). Upstream ticket: https://fedorahosted.org/sssd/ticket/2285 Ack for 7.0. Raising blocker. This is an AD integration issue for direct integration in multi domain setup. FWIW, the upstream patches were:
master: e306ec431ccbe3df99e890767658dab217b1be94
sssd-1-11: c410cb395e5999dc90b5e228a02990bcdd0f22ab
tested and passed with sssd-1.11.2-64.el7 marking verified. https://beaker.engineering.redhat.com/jobs/625345 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_other_dc_02: bz 1077328 forest user lookup when joined to child domain :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'id administrator' (Expected 0, got 0) :: [ PASS ] :: Running 'id user1_dom2' (Expected 0, got 0) :: [ LOG ] :: Duration: 5s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: ad_other_dc_02: bz 1077328 forest user lookup when joined to child domain :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ad_other_dc_04: bz 1077328 forest user lookup when joined to second tree domain :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'id administrator.com' (Expected 0, got 0) :: [ PASS ] :: Running 'id user1_dom3.com' (Expected 0, got 0) :: [ LOG ] :: Duration: 21s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: ad_other_dc_04: bz 1077328 forest user lookup when joined to second tree domain This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Created attachment 875617 [details] logs for each join and test Description of problem: Issues resolving uses for child or second tree domain when the sssd client system is joined to the child or second tree. Version-Release number of selected component (if applicable): sssd-1.11.2-58.el7 How reproducible: every time. Steps to Reproduce: AD layout: Root domain sssdad.com Child domain child1.sssdad.com Second tree domain sssdad_tree.com Client joined to one domain using ad_provider defaults for ldap_id_mapping When joined to sssdad.com all users resolve. id administrator id administrator id administrator.com id user1_dom1 id user1_dom2 id user1_dom3.com When joined to sssdad_tree.com the following users do not resolve. id administrator.com id user1_dom3.com When joined to child1.sssdad.com the following users do not resolve. id administrator id user1_dom2 The set of logs are from tests on each domain join. Administrator entry when connected to sssdad_tree.com (Mon Mar 17 11:33:13 2014) [sssd[be[sssdad_tree.com]]] [sdap_save_user] (0x2000): Adding originalDN [CN=Administrator,CN=Users,DC=child1,DC=sssdad,DC=com] to attributes of [Administrator]. No entry for CN=Administrator,CN=Users,DC=sssdad_tree,DC=com in sssd_child1.sssdad.com.log. No entries were logged for user1_dom3.com in sssd_sssdad_tree.com.log and user1_dom2 in sssd_child1.sssdad.com.log. Expected results: All forest users should resolve when joined to any trusted domain.