Bug 878583

Summary: IPA Trust does not show secondary groups for AD Users for commands like id and getent
Product: Red Hat Enterprise Linux 6 Reporter: Scott Poore <spoore>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.4CC: grajaiya, jgalipea, nsoman, okos, pbrezina, sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.9.2-66.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:41:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 895654    

Description Scott Poore 2012-11-20 17:25:58 UTC 
Description of problem:
With IPA Trust environment, AD User secondary group membership is not shown by commands like id and getent.  Only the primary (mapped) private user group is shown.

Example:

On the AD side, "testuser" is a member of "Domain Users" and "testgroup" groups. However, this does not reflect when `id` is run against "testuser":

---
[root@ipaserver1 ~]# su - testuser.com
-sh-4.1$ id
uid=238801108(testuser.com) gid=238801108(testuser.com) groups=238801108(testuser.com),1600200004(ad_users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
---

The groups exist:

---
[root@ipaserver1 ~]# getent group AD\\testgroup
testgroup.com:*:238801109:
[root@ipaserver1 ~]# getent group AD\\'Domain Users'
domain users.com:*:238800513:
---

Version-Release number of selected component (if applicable):
sssd-1.9.2-14.el6.x86_64

How reproducible:
always


Steps to Reproduce:
1.  Setup IPA Server
2.  Setup AD Server, add 2 groups, add user, add user to 2 new groups
3.  ipa-adtrust-install
4.  ipa trust-add <addomain> --admin Administrator --password
5.  id <aduser@addomain>
  
Actual results:
Does not show secondary AD Groups.  

Expected results:
Shows all AD Groups?


Additional info:
Comment 2 Pavel Březina 2012-11-23 09:46:52 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1666
Comment 4 Steeve Goveas 2013-01-30 13:37:25 UTC 
[root@ibm-x3500m4-01 ~]# ipa trust-add --type=ad adlab.qe --admin Administrator --password
Active directory domain administrator's password:
-------------------------------------------------
Added Active Directory trust for realm "adlab.qe"
-------------------------------------------------
  Realm name: adlab.qe
  Domain NetBIOS name: ADLAB
  Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified
 
[root@ibm-x3500m4-01 ~]# ipa group-add --desc='adlab.qe users external map' ad_users_external --external
-------------------------------
Added group "ad_users_external"
-------------------------------
  Group name: ad_users_external
  Description: adlab.qe users external map
[root@ibm-x3500m4-01 ~]# ipa group-add --desc="adlabe.qe users" ad_users
----------------------
Added group "ad_users"
----------------------
  Group name: ad_users
  Description: adlabe.qe users
  GID: 520800004
[root@ibm-x3500m4-01 ~]# ipa group-add-member ad_users_external --external 'ADLAB\Domain Users'
[member user]:
[member group]:
  Group name: ad_users_external
  Description: adlab.qe users external map
  External member: S-1-5-21-3655990580-1375374850-1633065477-513
-------------------------
Number of members added 1
-------------------------
[root@ibm-x3500m4-01 ~]# ipa group-add-member ad_users --groups ad_users_external
  Group name: ad_users
  Description: adlabe.qe users
  GID: 520800004
  Member groups: ad_users_external
-------------------------
Number of members added 1
-------------------------
 
[root@ibm-x3500m4-01 ~]# id adtestuser1
uid=1979001178(adtestuser1) gid=1979001178(adtestuser1) groups=1979001178(adtestuser1)
 
[root@ibm-x3500m4-01 ~]# id adtestuser2
uid=1979001185(adtestuser2) gid=1979001185(adtestuser2) groups=1979001185(adtestuser2)
 
[root@ibm-x3500m4-01 ~]# su - adtestuser1
su: warning: cannot change directory to /home/adlab.qe/adtestuser1: No such file or directory
-sh-4.1$ id
uid=1979001178(adtestuser1) gid=1979001178(adtestuser1) groups=1979001178(adtestuser1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ logout
 
[root@ibm-x3500m4-01 ~]# su - adtestuser2
su: warning: cannot change directory to /home/adlab.qe/adtestuser2: No such file or directory
-sh-4.1$ id
uid=1979001185(adtestuser2) gid=1979001185(adtestuser2) groups=1979001185(adtestuser2) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ logout
 
[root@ibm-x3500m4-01 ~]# getent group ADLAB\\adgroup1
adgroup1:*:1979001150:
 
[root@ibm-x3500m4-01 ~]# getent group ADLAB\\adgroup2
adgroup2:*:1979001151: 

[root@ibm-x3500m4-01 ~]# kinit adtestuser2
Password for adtestuser2:

[root@ibm-x3500m4-01 ~]# ssh -K -l "adtestuser2" `hostname`
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
                 This System is reserved by sgoveas.

 To return this system early. You can run the command: return2beaker.sh
  Ensure you have your logs off the system before returning to Beaker

 To extend your reservation time. You can run the command:
  extendtesttime.sh
 This is an interactive script. You will be prompted for how many
  hours you would like to extend the reservation.

 You should verify the watchdog was updated succesfully after
  you extend your reservation.
  https://beaker.engineering.redhat.com/recipes/768048

 For ssh, kvm, serial and power control operations please look here:
  https://beaker.engineering.redhat.com/view/ibm-x3500m4-01.rhts.eng.bos.redhat.com

      Beaker Test information:
                         HOSTNAME=ibm-x3500m4-01.rhts.eng.bos.redhat.com
                            JOBID=365230
                         RECIPEID=768048
                    RESULT_SERVER=127.0.0.1:7093
                           DISTRO=RHEL6.4-20130109.1
                     ARCHITECTURE=x86_64

      Job Whiteboard: RHEL 6.4 latest

      Recipe Whiteboard: 
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
Could not chdir to home directory /home/adlab.qe/adtestuser2: No such file or directory
-sh-4.1$ id
uid=1979001185(adtestuser2) gid=1979001185(adtestuser2) groups=1979001185(adtestuser2),520800004(ad_users),1979000513(domain users),1979001151(adgroup2) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.1$ logout

[root@ibm-x3500m4-01 ~]# getent group ADLAB\\adgroup1
adgroup1:*:1979001150:adtestuser1

[root@ibm-x3500m4-01 ~]# getent group ADLAB\\adgroup2
adgroup2:*:1979001151:adtestuser2,adtestuser1

[root@ibm-x3500m4-01 ~]# rpm -qa | grep sssd
sssd-client-1.9.2-82.el6.x86_64
sssd-1.9.2-82.el6.x86_64

[root@ibm-x3500m4-01 ~]# rpm -qa | grep ipa-server
ipa-server-selinux-3.0.0-24.el6.x86_64
ipa-server-3.0.0-24.el6.x86_64
ipa-server-trust-ad-3.0.0-24.el6.x86_64
Comment 5 errata-xmlrpc 2013-02-21 09:41:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html