Bug 1280207

Summary: Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust
Product: Red Hat Enterprise Linux 6 Reporter: Jan Kurik <jkurik>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.7CC: ekeck, grajaiya, hjensas, ipa-maint, jcholast, jgalipea, jhrozek, kbanerje, ksiddiqu, lslebodn, mkosek, mnavrati, mzidek, ndehadra, nsoman, pbrezina, preichl, rcritten, sbose, sumenon
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-3.0.0-47.el6_7.1 Doc Type: Bug Fix
Doc Text:
Identity Management (IdM) clients that are views-enabled are unconditionally looking for a views-related attribute. If the attribute was not available, earlier versions of IdM returned a different error code than later versions, which was not handled as expected on the client side. Consequently, Active Directory (AD) user's group membership resolution failed, as the lookup request failed after not being able to dereference the view name. To fix this bug, if the LDAP_UNAVAILABLE_CRITICAL_EXTENSION(12) or LDAP_PROTOCOL_ERROR(2) error is returned, the error is ignored and the client assumes the server is not views-aware. As a result, AD user's group membership resolution no longer fails when a Red Hat Enterprise Linux 7 client is enrolled to a Red Hat Enterprise Linux 6 server.
 Story Points: ---
Clone Of: 1263262 Environment:
Last Closed: 2015-12-15 13:22:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1263262    
Bug Blocks:    
Attachments:
Description Flags
verification_steps_bz1280207
none
verification_bz1280207_72 none

Description Jan Kurik 2015-11-11 08:35:29 UTC 
This bug has been copied from bug #1263262 and has been proposed
to be backported to 6.7 z-stream (EUS).
Comment 6 Nikhil Dehadrai 2015-12-01 14:39:48 UTC 
IPA SERVER and CLIENT version:
-----------------------------------
ipa-server-3.0.0-47.el6_7.1.x86_64
ipa-client-3.0.0-47.el6_7.1.x86_64
AD Server details: Windows Server 2012 R2

Verified the bug with following steps:
------------------------------------------------
1. As per the verification steps mentioned inside bug #1263262, verified that the group memberships are correctly displayed, when user logs into the system setup with trust environment.
2. Refer the attached log for verification steps.

Thus marking the status of the bug to "VERIFIED".
Comment 7 Nikhil Dehadrai 2015-12-01 14:41:00 UTC 
Created attachment 1100933 [details]
verification_steps_bz1280207

verification_steps_bz1280207
Comment 8 Nikhil Dehadrai 2015-12-03 12:33:58 UTC 
IPA SERVER and CLIENT version:
-----------------------------------
ipa-server-4.2.0-15.el7_2.3.x86_64
ipa-client-3.0.0-47.el6_7.1.x86_64
AD Server details: Windows Server 2012 R2

Also verified the bug with following steps:
------------------------------------------------
1. Configure IPA server with Active Directory trust setup.
2. Once the trust is setup, executed the steps mentioned inside bug #1263262, verified that the group memberships are correctly displayed, when user logs into the system setup with trust environment.
3. Refer the attached log "verification_bz1280207_72" for verification steps.

Thus marking the status of the bug to "VERIFIED".
Comment 9 Nikhil Dehadrai 2015-12-03 12:35:02 UTC 
Created attachment 1101796 [details]
verification_bz1280207_72

verification_bz1280207_72
Comment 11 errata-xmlrpc 2015-12-15 13:22:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2634.html