Bug 1125187

Summary: simple_allow_groups does not lookup groups from other AD domains
Product: Red Hat Enterprise Linux 6 Reporter: Kaushik Banerjee <kbanerje>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: high Docs Contact:
Priority: high    
Version: 6.6CC: dpal, grajaiya, jgalipea, kbanerje, lslebodn, mkosek, pbrezina, preichl, tlavigne
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.11.6-28.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 04:49:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kaushik Banerjee 2014-07-31 09:29:23 UTC 
Description of problem:
simple_allow_groups does not lookup groups from other AD domains

Version-Release number of selected component (if applicable):
sssd-1.11.6-12.el6

How reproducible:
Always

Steps to Reproduce:
1. sssd configured for ad provider. primary domain=sssdad.com
[domain/sssdad.com]
id_provider = ad
debug_level = 0xFFF0
use_fully_qualified_names = True
access_provider = simple
simple_allow_groups=group1_dom3.com

2. Lookup the child domain group
# getent group group1_dom3.com
group1_dom3.com:*:1184401714:user1_dom3.com

3. # ssh -l user1_dom3.com localhost
user1_dom3.com@localhost's password: 
Connection closed by ::1

Actual results:
Access is denied

Domain log shows:
(Thu Jul 31 05:07:32 2014) [sssd[be[sssdad.com]]] [simple_check_get_groups_primary] (0x0040): Could not look up primary group [1184401711]: [2][No such file or directory]
(Thu Jul 31 05:07:32 2014) [sssd[be[sssdad.com]]] [simple_check_get_groups_send] (0x0400): All groups had name attribute
(Thu Jul 31 05:07:32 2014) [sssd[be[sssdad.com]]] [simple_access_check_done] (0x2000): Group check done
(Thu Jul 31 05:07:32 2014) [sssd[be[sssdad.com]]] [simple_access_check_recv] (0x1000): Access not granted

Expected results:
Access should be permitted

Additional info:
Comment 1 Jakub Hrozek 2014-07-31 09:35:10 UTC 
Pavel, didn't we fix this bug some time ago?
Comment 3 Pavel Reichl 2014-07-31 11:08:19 UTC 
Jakub,

I believe you mean:

https://bugzilla.redhat.com/show_bug.cgi?id=1092766
Comment 6 Jakub Hrozek 2014-08-14 07:57:55 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2407
Comment 10 Jakub Hrozek 2014-08-26 15:45:25 UTC 
Fixed upstream:

    master:
        99f53d551a1db5d8023b4271eb691d554257624c
        174e9ec6f88d709b6e9481ed06a322c0fc495842
        21f2821a4420291c8eb3ee9d427e9e1b0a1d9989 
    sssd-1-11:
        414f520ee793cdee5973eeab35a09a70081f95bd
        6656b818d1b4400052aee33ab50385abbe1b1a6a
        97e5ea0490f05107c5d4d1773841b4a533b737f2
Comment 12 Kaushik Banerjee 2014-08-28 09:00:19 UTC 
Verified in version sssd-1.11.6-28.el6

Output from beaker run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_simple_006: simple_allow_groups=DOMAIN\group
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'su_success user1_dom1 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Command 'su_success user1_dom2 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Command 'su_success user1_dom3.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Command 'su_permission_denied user2_dom1 Secret123' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 14s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: ad_forest_simple_006: simple_allow_groups=DOMAIN\group
Comment 13 errata-xmlrpc 2014-10-14 04:49:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html