Bug 1378911

Summary: No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain
Product: Red Hat Enterprise Linux 7 Reporter: Dan Lavu <dlavu>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Dan Lavu <dlavu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: dlavu, enewland, grajaiya, jhrozek, lslebodn, mkolaja, mkosek, mzidek, pbrezina, sssd-qe, tlavigne, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.14.0-46.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1393730 (view as bug list) Environment:
Last Closed: 2017-08-01 09:00:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1393730    

Description Dan Lavu 2016-09-23 13:48:17 UTC 
Description of problem:

No supplementary groups are resolved for nested users when the [domain] stanza in sssd.conf differs from the AD domain, i.e. [default].

Quote from an email thread with Jakub. 

"It's a bit bizzare, because the bug only happens when the [domain] stanza in
sssd.conf is named differently than the AD domain... Then, we look up a
user in Global Catalog, which returns two entries because the domains
(and thus the search bases) are nested under one another. So we proceed
to mapping the DN to SSSD domain, but fail, because the name of the SSSD
domain is totally different from the DN.. I /thought/ we also tried to
match against DN derived from the search base as a fallback, but
apparently not."

Test Suite: ad parameters
Test Case: account_password_policy_003:User account disabled

NOTE: The test is failing because of this bug, but this test case is NOT actually testing this bug. 

Version-Release number of selected component (if applicable):

How reproducible:

Always

Steps to Reproduce:
1. Run ad_parameters suite

Actual results:

:: [   PASS   ] :: Expected: login failure for testuser01-1511559 with password (Expected 255, got 255)
:: [   FAIL   ] :: File '/var/log/secure' should contain 'User account has expired' 
:: [  BEGIN   ] :: Expected: login failure for testuser01-1511559 with ssh key :: actually running 'ssh_user_key_login testuser01-1511559'
spawn ssh -o StrictHostKeyChecking=no -o GSSAPIAuthentication=no -o PasswordAuthentication=no -l testuser01-1511559 localhost
Connection closed by ::1

Expected results:

:: [   PASS   ] :: Expected: login failure for testuser01-1511559 with password (Expected 255, got 255)
:: [   PASS   ] :: File '/var/log/secure' should contain 'User account has expired' 
:: [  BEGIN   ] :: Expected: login failure for testuser01-1511559 with ssh key :: actually running 'ssh_user_key_login testuser01-1511559'
spawn ssh -o StrictHostKeyChecking=no -o GSSAPIAuthentication=no -o PasswordAuthentication=no -l testuser01-1511559 localhost
Connection closed by ::1

Additional info:

According to Jakub, this is a side effect of fixing the following https://bugzilla.redhat.com/show_bug.cgi?id=1293168
Comment 1 Jakub Hrozek 2016-09-23 13:53:15 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/3199
Comment 2 Dan Lavu 2016-09-23 13:58:29 UTC 
Sorry, I was looking at the wrong test suite when filling this BZ out. The test suite is NOT ad_parameters but ad_idmap.

Test suite: ad_idmap
Test case: idmap_014: bz874616 Silence DEBUG messages when dealing with built-in SIDs

Actual results:

:: [  BEGIN   ] :: Running 'id Administrator'
uid=498200500(administrator) gid=498200513(domain users) groups=498200513(domain users)
:: [   PASS   ] :: Command 'id Administrator' (Expected 0, got 0)
:: [   FAIL   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Object SID \[S-1-5-32-545\] is a built-in one' 
:: [   FAIL   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Object SID \[S-1-5-32-544\] is a built-in one' 
:: [   FAIL   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Skipping built-in object' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should not contain 'Could not parse domain SID' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should not contain 'Could not convert SID to GID' 
'6516d9b4-4521-437d-8f69-dbc6f62cfb01'


Expected results:

:: [  BEGIN   ] :: Running 'id Administrator'
uid=498200500(administrator) gid=498200513(domain users) groups=498200513(domain users)
:: [   PASS   ] :: Command 'id Administrator' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Object SID \[S-1-5-32-545\] is a built-in one' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Object SID \[S-1-5-32-544\] is a built-in one' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Skipping built-in object' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should not contain 'Could not parse domain SID' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should not contain 'Could not convert SID to GID' 
'6516d9b4-4521-437d-8f69-dbc6f62cfb01'
Comment 6 Jakub Hrozek 2016-11-03 10:24:19 UTC 
master:
 * e5a984093ad7921c83da75272cede2b0e52ba2d6
 * 24d8c85fae253f988165c112af208198cf48eef6
sssd-1-14:
 * 956fdd727f8d7a28f1456146b3b7dfee49f38626
 * 3f3dc8c737a8e8cfc4a29d7dbaf526ec3973c7a0
Comment 9 Tom Lavigne 2016-11-07 16:26:51 UTC 
This bug needs approval for zstream, either PMApproved (from snagar) or GSSApproved from your subsystem CEE contact.
Comment 18 Dan Lavu 2017-06-01 11:40:07 UTC 
Verified against sssd-1.15.2-33.el7.x86_64


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: idmap_014: bz874616 Silence DEBUG messages when dealing with built-in SIDs
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'id Administrator' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Object SID \[S-1-5-32-545\] is a built-in one' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Object SID \[S-1-5-32-544\] is a built-in one' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Skipping built-in object' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should not contain 'Could not parse domain SID' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should not contain 'Could not convert SID to GID' 
:: [   LOG    ] :: Duration: 12s
:: [   LOG    ] :: Assertions: 6 good, 0 bad
:: [   PASS   ] :: RESULT: idmap_014: bz874616 Silence DEBUG messages when dealing with built-in SIDs
Comment 19 errata-xmlrpc 2017-08-01 09:00:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294