Bug 1773409

Summary: sssd is failing to discover other subdomains in the forest if LDAP entries do not contain AD forest root information
Product: Red Hat Enterprise Linux 7 Reporter: Glen Babiano <gbabiano>
Component: sssdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: sssd-qe <sssd-qe>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.7CC: apeddire, atikhono, dlavu, grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, sbose, sgoveas, thalman, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: sssd-1.16.5-10.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 19:49:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1788833    

Description Glen Babiano 2019-11-18 05:04:17 UTC 
Description of problem:
This is a AD direct integration setup as follows:

1. RHEL hosts are joined to inf.nz.example.com
2. AD users are located in corp.nz.example.com
3. Transitive trust established under nz.example.com
4. Forest root is au.domain.com

Version-Release number of selected component (if applicable):
RHEL 7.7

How reproducible:
Specific to customer environment.

Actual results:
RHEL hosts in inf.nz.example.com are not able to resolve AD users from corp.nz.example.com

Expected results:
RHEL hosts in inf.nz.example.com should be able to resolve AD users from corp.nz.example.com since there is a transitive trust established between these domains.

Additional info:
Comment 6 Sumit Bose 2020-05-12 15:25:19 UTC 
Upstream ticket:
https://github.com/SSSD/sssd/issues/5151
Comment 8 Pavel Březina 2020-06-05 09:21:56 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/5152

* `master`
    * e25e1e9228a6108d8e94f2e99f3004e6cbfc3349 - ad: check forest root directly if not present on local DC
    * 3ae3286d61ed796f0be7a1d72157af3687bc04a5 - ad: add ad_check_domain_{send|recv}
    * 8c642a542245a9f9fde5c2de9c96082b4c0d0963 - ad: remove unused trust_type from ad_subdom_store()
    * 2bad4d4b299440d33919a9fdb8c4d75814583e12 - ad: rename ads_get_root_id_ctx() to ads_get_dom_id_ctx
    * 9aa26f6514220bae3b3314f830e3e3f95fab2cf9 - sysdb: make new_subdomain() public
    * d3089173dd8be85a83cf0236e116ba8e11326a6d - ad: rename ad_master_domain_* to ad_domain_info_*
    * 8ca799ea968e548337acb0300642a0d88f1bba9b - sysdb: make sysdb_update_subdomains() more robust
Comment 9 Pavel Březina 2020-06-05 13:22:50 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/5194

* `sssd-1-16`
    * de90274339a8ea1efdfbb96a66da74547cd2ae7e - ad: check forest root directly if not present on local DC
    * 08df7f420f1a55ba737f4d4e2df9ec519570f2c8 - ad: add ad_check_domain_{send|recv}
    * e8b946fb15072705d04cea410d58785e0f399413 - ad: remove unused trust_type from ad_subdom_store()
    * 9fb34f034adcd6ed27b53aae0e27c1a08d0d2deb - ad: rename ads_get_root_id_ctx() to ads_get_dom_id_ctx
    * 796f3888e40d55ed888317c0be01026756866e16 - sysdb: make new_subdomain() public
    * 5cba358d0fb8f34e11d06cdbebed5b0cf4d56267 - ad: rename ad_master_domain_* to ad_domain_info_*
    * 6f308f7833669b91000e42907380aa4cbe3fc145 - sysdb: make sysdb_update_subdomains() more robust
Comment 14 Dan Lavu 2020-06-17 05:12:15 UTC 
Verified against sssd-1.16.5-10.el7.x86_64

[root@ci-vm-10-0-106-216 ~]# realm list
grand.child.root.com
  type: kerberos
  realm-name: GRAND.CHILD.ROOT.COM
  domain-name: grand.child.root.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U.root.com
  login-policy: allow-realm-logins


[root@ci-vm-10-0-106-216 ~]# id user1
uid=440601118(user1) gid=440601118(user1) groups=440601118(user1),440601115(group1),440600513(domain users),440601116(group2),440601117(group3)


[root@ci-vm-10-0-106-216 ~]# id child_user1.com
uid=1503801113(child_user1.com) gid=1503801113(child_user1.com) groups=1503801113(child_user1.com),1503800513(domain users.com),1503801111(child_group2.com),1503801112(child_group3.com),1503801110(child_group1.com)

[root@ci-vm-10-0-106-216 ~]# id grand_user1.root.com
uid=710401104(grand_user1.root.com) gid=710400513(domain users.root.com) groups=710400513(domain users.root.com)
Comment 17 errata-xmlrpc 2020-09-29 19:49:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3904