Bug 1263262

Summary: Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust
Product: Red Hat Enterprise Linux 6 Reporter: Sumit Bose <sbose>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.7CC: ekeck, grajaiya, hjensas, jgalipea, jhrozek, kbanerje, ksiddiqu, lslebodn, mkosek, mzidek, nsoman, pbrezina, preichl, rcritten, sbose, sumenon
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-3.0.0-48.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1219285
: 1280207 (view as bug list) Environment:
Last Closed: 2016-05-11 00:08:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1219285    
Bug Blocks: 1219844, 1272422, 1280207    

Comment 1 Sumit Bose 2015-09-15 13:10:46 UTC 
Newer SSSD versions use a request of the IPA extdom plugin which has known issues in IPA-3.0 which are already fixed upstream (https://fedorahosted.org/freeipa/ticket/3596)

The three patches from the upstream ticket are needed to allow SSSD 1.12 and above to properly resolve groups from the trusted AD domain with a RHEL-6 IPA server.
Comment 3 Martin Kosek 2015-09-17 13:23:54 UTC 
Moving to POST, upstream has the fix already.
Comment 8 Sudhir Menon 2016-02-23 15:54:19 UTC 
Verified using RHEL6.8 IPA server and client

ipa-client-3.0.0-50.el6.x86_64
ipa-server-3.0.0-50.el6.x86_64

root@r68server ~]# ipa group-add-member ad_nix-users_external --external "nix-users"
[member user]:
[member group]:
  Group name: ad_nix-users_external
  Description: AD nix users external map
  External member: S-1-5-21-2828791737-1866347024-3967946728-1616
-------------------------
Number of members added 1
-------------------------
 
[root@r68server ~]# ipa group-add-member nix-users --groups ad_nix-users_external
  Group name: nix-users
  Description: AD nix-users
  GID: 953200004
  Member groups: ad_nix-users_external
-------------------------
Number of members added 1
-------------------------
 
[root@r68server ~]# ipa group-show ad_nix-users_external
  Group name: ad_nix-users_external
  Description: AD nix users external map
  Member of groups: nix-users
  External member: S-1-5-21-2828791737-1866347024-3967946728-1616
 
[root@r68server ~]# ipa group-show nix-users
  Group name: nix-users
  Description: AD nix-users
  GID: 953200004
  Member groups: ad_nix-users_external
 
[root@r68server ~]# ssh -l hjensas r683.dom226.in
hjensas@r683.dom226.in's password:
Could not chdir to home directory /home/pne.qe/hjensas: No such file or directory
-sh-4.1$ id
uid=11614(hjensas) gid=11614(hjensas) groups=11614(hjensas),10513(domain users),11616(nix-users),953200004(nix-users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Comment 10 errata-xmlrpc 2016-05-11 00:08:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0874.html