Bug 878583
Summary: | IPA Trust does not show secondary groups for AD Users for commands like id and getent | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Scott Poore <spoore> |
Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> |
Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 6.4 | CC: | grajaiya, jgalipea, nsoman, okos, pbrezina, sgoveas |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.9.2-66.el6 | Doc Type: | Bug Fix |
Doc Text: |
No documentation needed.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 09:41:03 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 895654 |
Description
Scott Poore
2012-11-20 17:25:58 UTC
Upstream ticket: https://fedorahosted.org/sssd/ticket/1666 [root@ibm-x3500m4-01 ~]# ipa trust-add --type=ad adlab.qe --admin Administrator --password Active directory domain administrator's password: ------------------------------------------------- Added Active Directory trust for realm "adlab.qe" ------------------------------------------------- Realm name: adlab.qe Domain NetBIOS name: ADLAB Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified [root@ibm-x3500m4-01 ~]# ipa group-add --desc='adlab.qe users external map' ad_users_external --external ------------------------------- Added group "ad_users_external" ------------------------------- Group name: ad_users_external Description: adlab.qe users external map [root@ibm-x3500m4-01 ~]# ipa group-add --desc="adlabe.qe users" ad_users ---------------------- Added group "ad_users" ---------------------- Group name: ad_users Description: adlabe.qe users GID: 520800004 [root@ibm-x3500m4-01 ~]# ipa group-add-member ad_users_external --external 'ADLAB\Domain Users' [member user]: [member group]: Group name: ad_users_external Description: adlab.qe users external map External member: S-1-5-21-3655990580-1375374850-1633065477-513 ------------------------- Number of members added 1 ------------------------- [root@ibm-x3500m4-01 ~]# ipa group-add-member ad_users --groups ad_users_external Group name: ad_users Description: adlabe.qe users GID: 520800004 Member groups: ad_users_external ------------------------- Number of members added 1 ------------------------- [root@ibm-x3500m4-01 ~]# id adtestuser1 uid=1979001178(adtestuser1) gid=1979001178(adtestuser1) groups=1979001178(adtestuser1) [root@ibm-x3500m4-01 ~]# id adtestuser2 uid=1979001185(adtestuser2) gid=1979001185(adtestuser2) groups=1979001185(adtestuser2) [root@ibm-x3500m4-01 ~]# su - adtestuser1 su: warning: cannot change directory to /home/adlab.qe/adtestuser1: No such file or directory -sh-4.1$ id uid=1979001178(adtestuser1) gid=1979001178(adtestuser1) groups=1979001178(adtestuser1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.1$ logout [root@ibm-x3500m4-01 ~]# su - adtestuser2 su: warning: cannot change directory to /home/adlab.qe/adtestuser2: No such file or directory -sh-4.1$ id uid=1979001185(adtestuser2) gid=1979001185(adtestuser2) groups=1979001185(adtestuser2) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.1$ logout [root@ibm-x3500m4-01 ~]# getent group ADLAB\\adgroup1 adgroup1:*:1979001150: [root@ibm-x3500m4-01 ~]# getent group ADLAB\\adgroup2 adgroup2:*:1979001151: [root@ibm-x3500m4-01 ~]# kinit adtestuser2 Password for adtestuser2: [root@ibm-x3500m4-01 ~]# ssh -K -l "adtestuser2" `hostname` ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** This System is reserved by sgoveas. To return this system early. You can run the command: return2beaker.sh Ensure you have your logs off the system before returning to Beaker To extend your reservation time. You can run the command: extendtesttime.sh This is an interactive script. You will be prompted for how many hours you would like to extend the reservation. You should verify the watchdog was updated succesfully after you extend your reservation. https://beaker.engineering.redhat.com/recipes/768048 For ssh, kvm, serial and power control operations please look here: https://beaker.engineering.redhat.com/view/ibm-x3500m4-01.rhts.eng.bos.redhat.com Beaker Test information: HOSTNAME=ibm-x3500m4-01.rhts.eng.bos.redhat.com JOBID=365230 RECIPEID=768048 RESULT_SERVER=127.0.0.1:7093 DISTRO=RHEL6.4-20130109.1 ARCHITECTURE=x86_64 Job Whiteboard: RHEL 6.4 latest Recipe Whiteboard: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** Could not chdir to home directory /home/adlab.qe/adtestuser2: No such file or directory -sh-4.1$ id uid=1979001185(adtestuser2) gid=1979001185(adtestuser2) groups=1979001185(adtestuser2),520800004(ad_users),1979000513(domain users),1979001151(adgroup2) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.1$ logout [root@ibm-x3500m4-01 ~]# getent group ADLAB\\adgroup1 adgroup1:*:1979001150:adtestuser1 [root@ibm-x3500m4-01 ~]# getent group ADLAB\\adgroup2 adgroup2:*:1979001151:adtestuser2,adtestuser1 [root@ibm-x3500m4-01 ~]# rpm -qa | grep sssd sssd-client-1.9.2-82.el6.x86_64 sssd-1.9.2-82.el6.x86_64 [root@ibm-x3500m4-01 ~]# rpm -qa | grep ipa-server ipa-server-selinux-3.0.0-24.el6.x86_64 ipa-server-3.0.0-24.el6.x86_64 ipa-server-trust-ad-3.0.0-24.el6.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0508.html |