Bug 871576

Summary: sssd does not resolve group names from AD
Product: Red Hat Enterprise Linux 6 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: high    
Version: 6.4CC: chhudson, dpal, grajaiya, jgalipea, jhrozek, kbanerje, maxim, myllynen, pbrezina, sbose, sgallagh, spoore, ssorce, stefw, stijn
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.9.2-6.el6 Doc Type: Bug Fix
Doc Text:
No Documentation Needed
 Story Points: ---
Clone Of: 867874 Environment:
Last Closed: 2013-02-21 09:39:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 867874    
Bug Blocks:    

Description Jakub Hrozek 2012-10-30 18:42:21 UTC 
+++ This bug was initially created as a clone of Bug #867874 +++

Description of problem:
When a system is an AD member, configured for the Active Directory Test Day for Fedora 18[1], I can log into the system with an AD account, so the username is resolved. The name of the primary group of the user, however ('Domain Users') is not resolved.

Version-Release number of selected component (if applicable):
1.9.2-1.fc18

How reproducible:


Steps to Reproduce:
1. Join a system to an AD domain, like for the FTD, see [1]
2. Log in as a user from AD
3. Try and resolve groups
  
Actual results:
Output of id is like this:
$ id
uid=592801111(NONTOONYT\testuser03) gid=592800513 groups=592800513 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Expected results:
Output of id to be like this:
$ id
uid=1001(localuser) gid=1002(localuser) groups=1002(localuser),1001(localgroup) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Additional info:

[1] https://fedoraproject.org/wiki/QA:Testcase_Active_Directory_realmd_join_sssd

--- Additional comment from maxim on 2012-10-18 09:43:34 EDT ---

Not just about primary group:

[root@f18-client db]# sss_cache -U -G
[root@f18-client db]# id NONTOONYT\\testuser02
uid=592801110(NONTOONYT\testuser02) gid=592800513 groups=592800513,592801132,592801133

--- Additional comment from stefw on 2012-10-18 10:16:27 EDT ---

My primary group name is resolved, but others not:

uid=535601104(RADI08\swalter) gid=535600513(RADI08\domain users) groups=535600513(RADI08\domain users),535600512,535600572 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

--- Additional comment from stijn on 2012-10-18 10:20:47 EDT ---

I see the same as Maxim, no group is resolved.

[root@pclin282 ~]# sss_cache -U -G
[root@pclin282 ~]# id TUE\\shoop
uid=1579415011(TUE\shoop) gid=1579400513 groups=1579400513,1579473836,1579538705,1579448448,1579553386,1579428775,1579437677,1579429452,1579448447,1579583761,1579422111,1579423170,1579432939,1579400520,1579430980,1579422100,1579499949,1579567116,1579476603,1579431050,1579560682,1579402481

--- Additional comment from stefw on 2012-10-18 10:57:24 EDT ---

(In reply to comment #2)
> My primary group name is resolved, but others not:
> 
> uid=535601104(RADI08\swalter) gid=535600513(RADI08\domain users)
> groups=535600513(RADI08\domain users),535600512,535600572
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

On a later login on the same machine (no reboots or anything) the primary group is no longer resolved:

id: cannot find name for group ID 535600513
[RADI08\swalter@live-user ~]$ id
uid=535601104(RADI08\swalter) gid=535600513 groups=535600513,535600512,535600572 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

--- Additional comment from jhrozek on 2012-10-18 11:15:42 EDT ---

Please include debug_level=10 into the [nss] and [domain/$name] sections of the SSSD, restart the SSSD and then attach the contents of /var/log/sssd/

Thank you!

--- Additional comment from stefw on 2012-10-19 01:47:50 EDT ---

Created attachment 629776 [details]
sssd logs that were requested.

I logged in as RADI08\swalter. In this case the primary group resolved, but not secondary groups. 

I then restarted sssd.

Next I logged in as RADI08\fry. No groups resolved.

uid=535601115(RADI08\fry) gid=535600513 groups=535600513,535601127,535601128 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Next I logged in again as RADI08\swalter. No groups resolved for swalter this time.

uid=535601104(RADI08\swalter) gid=535600513 groups=535600513,535600512,535600572 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

--- Additional comment from dpal on 2012-10-19 08:59:19 EDT ---

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1590
Comment 1 Jakub Hrozek 2012-10-30 18:43:57 UTC 
Upstream has a patch. This would break the AD provider if not fixed in RHEL-6.4.0
Comment 3 Jakub Hrozek 2012-11-02 14:16:12 UTC 
*** Bug 869336 has been marked as a duplicate of this bug. ***
Comment 5 Kaushik Banerjee 2012-11-06 13:49:49 UTC 
*** Bug 873143 has been marked as a duplicate of this bug. ***
Comment 6 Scott Poore 2012-11-07 18:15:41 UTC 
Verified.

Version ::

sssd-1.9.2-7.el6.x86_64

Manual Test Results:

[root@rhel6-1 yum.local.d]# ssh -l adtestuser1 rhel6-1
adtestuser1@rhel6-1's password: 
Last login: Wed Nov  7 13:10:55 2012 from rhel6-1.testrelm.com

-sh-4.1$ id
uid=1232801136(adtestuser1) gid=1232801136(adtestuser1) groups=1232801136(adtestuser1),1606000004(adtestdom_adtestgroup1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Comment 11 errata-xmlrpc 2013-02-21 09:39:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html