Bug 1478252
Summary: | Querying the AD domain for external domain's ID can mark the AD domain offline [rhel-7.4.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
Status: | CLOSED ERRATA | QA Contact: | Sudhir Menon <sumenon> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | 7.3 | CC: | ekeck, grajaiya, jhrozek, ksiddiqu, lslebodn, mkosek, mzidek, pbrezina, sgoveas, sssd-maint, tscherf |
Target Milestone: | rc | Keywords: | ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.15.2-50.el7_4.2 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | 1474711 | Environment: | |
Last Closed: | 2017-09-05 11:24:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1474711 | ||
Bug Blocks: |
Description
Oneata Mircea Teodor
2017-08-04 06:42:10 UTC
Marking the bug as verified as the AD domain is not marked offline when domain resolution order is changed. Verified on RHEL7.4 using sssd-1.15.2-50.el7_4.2.x86_64 ipa-server-4.5.0-21.el7_4.1.x86_64 389-ds-base-1.3.6.1-17.el7_4.x86_64 selinux-policy-3.13.1-166.el7.noarch Steps:- #ipa trust-add --range-type=ipa-ad-trust-posix --two-way=true [root@cypher sssd]# ipa trust-find --------------- 1 trust matched --------------- Realm name: pne.qe Domain NetBIOS name: PNE Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778 Trust type: Active Directory domain UPN suffixes: test.qa, pune.in ---------------------------- Number of entries returned 1 ---------------------------- [root@cypher sssd]# ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: PNE.QE_id_range First Posix ID of the range: 1261600000 Number of IDs in the range: 200000 Domain SID of the trusted domain: S-1-5-21-2202318585-426110948-4011710778 Range type: Active Directory trust range with POSIX attributes Range name: TESTRELM.TEST_id_range First Posix ID of the range: 315200000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range ---------------------------- Number of entries returned 2 ---------------------------- [root@cypher sssd]# ipa config-mod --domain-resolution-order='pne.qe:testrelm.test' Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: testrelm.test Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=TESTRELM.TEST Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: cypher.testrelm.test IPA CA servers: cypher.testrelm.test IPA NTP servers: cypher.testrelm.test IPA CA renewal master: cypher.testrelm.test IPA master capable of PKINIT: cypher.testrelm.test Domain resolution order: pne.qe:testrelm.test <------- [root@cypher ~]# id ipauser1 uid=315200004(ipauser1) gid=315200004(ipauser1) groups=315200004(ipauser1) ====sssd log=== (Fri Aug 18 05:13:26 2017) [sssd[be[testrelm.test]]] [sss_domain_get_state] (0x1000): Domain pne.qe is Active (Fri Aug 18 05:13:26 2017) [sssd[be[testrelm.test]]] [sss_domain_get_state] (0x1000): Domain chd.pne.qe is Active (Fri Aug 18 05:13:26 2017) [sssd[be[testrelm.test]]] [link_forest_roots] (0x2000): [testrelm.test] is a forest root (Fri Aug 18 05:13:26 2017) [sssd[be[testrelm.test]]] [sss_domain_get_state] (0x1000): Domain pne.qe is Active (Fri Aug 18 05:13:26 2017) [sssd[be[testrelm.test]]] [sss_domain_get_state] (0x1000): Domain chd.pne.qe is Active (Fri Aug 18 05:13:26 2017) [sssd[be[testrelm.test]]] [sss_domain_get_state] (0x1000): Domain pne.qe is Active Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2574 |