Bug 867874

Summary: sssd does not resolve group names from AD
Product: [Fedora] Fedora Reporter: Maxim Burgerhout <maxim>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: jhrozek, myllynen, sbose, sgallagh, ssorce, stefw, stijn
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.9.2-3.fc18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 871576 (view as bug list) Environment:
Last Closed: 2012-12-06 23:20:39 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 871576    
Attachments:
Description Flags
sssd logs that were requested. none

Description Maxim Burgerhout 2012-10-18 09:30:55 EDT
Description of problem:
When a system is an AD member, configured for the Active Directory Test Day for Fedora 18[1], I can log into the system with an AD account, so the username is resolved. The name of the primary group of the user, however ('Domain Users') is not resolved.

Version-Release number of selected component (if applicable):
1.9.2-1.fc18

How reproducible:


Steps to Reproduce:
1. Join a system to an AD domain, like for the FTD, see [1]
2. Log in as a user from AD
3. Try and resolve groups
  
Actual results:
Output of id is like this:
$ id
uid=592801111(NONTOONYT\testuser03) gid=592800513 groups=592800513 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Expected results:
Output of id to be like this:
$ id
uid=1001(localuser) gid=1002(localuser) groups=1002(localuser),1001(localgroup) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Additional info:

[1] https://fedoraproject.org/wiki/QA:Testcase_Active_Directory_realmd_join_sssd
Comment 1 Maxim Burgerhout 2012-10-18 09:43:34 EDT
Not just about primary group:

[root@f18-client db]# sss_cache -U -G
[root@f18-client db]# id NONTOONYT\\testuser02
uid=592801110(NONTOONYT\testuser02) gid=592800513 groups=592800513,592801132,592801133
Comment 2 Stef Walter 2012-10-18 10:16:27 EDT
My primary group name is resolved, but others not:

uid=535601104(RADI08\swalter) gid=535600513(RADI08\domain users) groups=535600513(RADI08\domain users),535600512,535600572 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Comment 3 Stijn Hoop 2012-10-18 10:20:47 EDT
I see the same as Maxim, no group is resolved.

[root@pclin282 ~]# sss_cache -U -G
[root@pclin282 ~]# id TUE\\shoop
uid=1579415011(TUE\shoop) gid=1579400513 groups=1579400513,1579473836,1579538705,1579448448,1579553386,1579428775,1579437677,1579429452,1579448447,1579583761,1579422111,1579423170,1579432939,1579400520,1579430980,1579422100,1579499949,1579567116,1579476603,1579431050,1579560682,1579402481
Comment 4 Stef Walter 2012-10-18 10:57:24 EDT
(In reply to comment #2)
> My primary group name is resolved, but others not:
> 
> uid=535601104(RADI08\swalter) gid=535600513(RADI08\domain users)
> groups=535600513(RADI08\domain users),535600512,535600572
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

On a later login on the same machine (no reboots or anything) the primary group is no longer resolved:

id: cannot find name for group ID 535600513
[RADI08\swalter@live-user ~]$ id
uid=535601104(RADI08\swalter) gid=535600513 groups=535600513,535600512,535600572 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Comment 5 Jakub Hrozek 2012-10-18 11:15:42 EDT
Please include debug_level=10 into the [nss] and [domain/$name] sections of the SSSD, restart the SSSD and then attach the contents of /var/log/sssd/

Thank you!
Comment 6 Stef Walter 2012-10-19 01:47:50 EDT
Created attachment 629776 [details]
sssd logs that were requested.

I logged in as RADI08\swalter. In this case the primary group resolved, but not secondary groups. 

I then restarted sssd.

Next I logged in as RADI08\fry. No groups resolved.

uid=535601115(RADI08\fry) gid=535600513 groups=535600513,535601127,535601128 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Next I logged in again as RADI08\swalter. No groups resolved for swalter this time.

uid=535601104(RADI08\swalter) gid=535600513 groups=535600513,535600512,535600572 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Comment 7 Dmitri Pal 2012-10-19 08:59:19 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1590
Comment 8 Fedora Update System 2012-10-30 14:57:18 EDT
sssd-1.9.2-3.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/sssd-1.9.2-3.fc18
Comment 9 Fedora Update System 2012-10-31 14:11:56 EDT
Package sssd-1.9.2-3.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.9.2-3.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17359/sssd-1.9.2-3.fc18
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2012-12-06 23:20:43 EST
sssd-1.9.2-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.