Bug 988520

Summary: sssd sees gid as 0 for AD trust posix users causing lookup failures
Product: [Fedora] Fedora Reporter: Scott Poore <spoore>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: jhrozek, lslebodn, okos, pbrezina, sbose, sgallagh, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeipa-3.3.0-2.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-18 21:37:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Poore 2013-07-25 18:40:48 UTC 
Description of problem:

On an IPA client in a env with AD Trust, I'm cannot lookup users with posix attrs set.  I tried with getent and just ssh'ing to the IPA client.  Neither case worked.  

If I delete the trust from IPA server and recreate it with "--range-type ipa-ad-trust" (no posix support), I am able to lookup and ssh with Administrator which does not have posix attrs set.

After some troubleshooting with dev, it was found that sssd db has the GID set to 0 for the posix user:

[root@client alllog1]# ldbsearch -H /var/lib/sss/db/cache_ipa.spoore.test.ldb name=posixuser1
asq: Unable to register control with rootdse!
# record 1
dn: name=posixuser1,cn=users,cn=adtest.qe,cn=sysdb
createTimestamp: 1374775689
gidNumber: 0
homeDirectory: /home/adtest.qe/posixuser1
name: posixuser1
objectClass: user
uidNumber: 10001
nameAlias: posixuser1
userPrincipalName: posixuser1
objectSIDString: S-1-5-21-3052441428-1084853364-590233633-1300
lastUpdate: 1374775689
dataExpireTimestamp: 1374811689
distinguishedName: name=posixuser1,cn=users,cn=adtest.qe,cn=sysdb

Above I can see gidNumber=0.  This is incorrect.  uidNumber though is correct, that is what I set on AD side.

Version-Release number of selected component (if applicable):
sssd-1.11.0-0.1.beta2.fc19.x86_64

How reproducible:
always

Steps to Reproduce:
* This was from following FreeIPA test day:
https://fedoraproject.org/wiki/Test_Day:2013-07-25_AD_trusts_with_POSIX_attributes_in_AD_and_support_for_old_clients#Test_Results

0.  Have AD server setup with Identity Management for Unix enabled and user with posix attrs set.  
1.  Install IPA Master
2.  Install IPA Client

On Master:

3.  ipa-adtrust-install
4.  ipa dnszone-add adtest.qe --name-server=adserver.adtest.qe \
    --admin-email='hostmaster' --force --forwarder=<ADserver_IP> \
    --forward-policy=only --ip-address=<ADserver_IP>
5.  systemctl restart named.service

On AD Server:

6.  Setup DNS Conditional Forwarder to IPA server/domain
Server Manager -> Tools -> DNS -> Conditional Forwarder
- right click new conditional forwarder
- enter ipa.spoore.test
- enter <IPAserver_IP>
- select option to store in AD
7.  Add Posix User/group:
Server Manager -> Tools -> AD Users and Computers
- right click users -> new group
- right click on the new group -> properties -> Unix Attr tab
-- Select NIS Domain and set GID
- right click users -> new user
- right click on new user -> properties -> Unix Attr tab
-- select NIS Domain and set UID (diff from GID above)

On IPA Master:
8.  echo Secret123 | \
    ipa trust-add --type=ad adtest.qe --admin Administrator --password

On IPA Client:
9.  restart sssd to be safe:
systemctl stop sssd
rm -rf /var/lib/sss/db/*
rm -rf /var/lib/sss/mc/*
systemctl start sssd

10.  getent passwd posixuser1

11.  yum -y install ldb-tools

12.  ldbsearch -H /var/lib/sss/db/cache_ipa.spoore.test.ldb objectclass=user

Actual results:

10. fails to find user.
12. returns:

[root@client sssd]# ldbsearch -H /var/lib/sss/db/cache_ipa.spoore.test.ldb objectclass=user
asq: Unable to register control with rootdse!
# record 1
dn: name=posixuser1,cn=users,cn=adtest.qe,cn=sysdb
createTimestamp: 1374775689
gidNumber: 0
homeDirectory: /home/adtest.qe/posixuser1
name: posixuser1
objectClass: user
uidNumber: 10001
nameAlias: posixuser1
userPrincipalName: posixuser1
objectSIDString: S-1-5-21-3052441428-1084853364-590233633-1300
lastUpdate: 1374775689
dataExpireTimestamp: 1374811689
distinguishedName: name=posixuser1,cn=users,cn=adtest.qe,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals


Expected results:
giNumber should not be 0...and lookup should return passwd info.

Additional info:
Comment 1 Jakub Hrozek 2013-07-25 19:05:30 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2032
Comment 2 Jakub Hrozek 2013-07-29 10:56:38 UTC 
Fixed upstream.
Comment 3 Fedora Update System 2013-08-08 14:07:21 UTC 
sssd-1.11.0-0.1.beta2.fc19, freeipa-3.3.0-1.fc19, slapi-nis-0.47.7-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/sssd-1.11.0-0.1.beta2.fc19,freeipa-3.3.0-1.fc19,slapi-nis-0.47.7-1.fc19
Comment 4 Fedora Update System 2013-08-09 17:03:59 UTC 
Package sssd-1.11.0-0.1.beta2.fc19, freeipa-3.3.0-1.fc19, slapi-nis-0.47.7-1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.11.0-0.1.beta2.fc19 freeipa-3.3.0-1.fc19 slapi-nis-0.47.7-1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-14470/sssd-1.11.0-0.1.beta2.fc19,freeipa-3.3.0-1.fc19,slapi-nis-0.47.7-1.fc19
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2013-08-15 02:52:22 UTC 
Package freeipa-3.3.0-2.fc19, sssd-1.11.0-0.1.beta2.fc19, slapi-nis-0.47.7-1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-3.3.0-2.fc19 sssd-1.11.0-0.1.beta2.fc19 slapi-nis-0.47.7-1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-14470/sssd-1.11.0-0.1.beta2.fc19,freeipa-3.3.0-2.fc19,slapi-nis-0.47.7-1.fc19
then log in and leave karma (feedback).
Comment 6 Scott Poore 2013-08-16 23:17:07 UTC 
Looks like this one is good.  Will post karma

[root@f19-1 ~]# ldbsearch -H /var/lib/sss/db/cache_ipa1.example.test.ldb objectclass=user
asq: Unable to register control with rootdse!
# record 1
dn: name=adposixuser1.test,cn=users,cn=ad1.example.test,cn=sysdb
createTimestamp: 1376694478
fullName: adposixuser1
gecos: adposixuser1
gidNumber: 10000
homeDirectory: /home/adposixuser1
loginShell: /bin/sh
name: adposixuser1.test
objectClass: user
uidNumber: 10001
objectSIDString: S-1-5-21-3024585523-2150831570-1141209184-1118
originalDN: CN=adposixuser1,CN=Users,DC=ad1,DC=example,DC=test
originalMemberOf: CN=adposixgroup1,CN=Users,DC=ad1,DC=example,DC=test
originalModifyTimestamp: 20130816220607.0Z
entryUSN: 65771
userPrincipalName: adposixuser1.TEST
adAccountExpires: 9223372036854775807
adUserAccountControl: 66048
nameAlias: adposixuser1.test
lastUpdate: 1376694478
dataExpireTimestamp: 1376699878
distinguishedName: name=adposixuser1.test,cn=users,cn=ad1.example.
 test,cn=sysdb

# record 2
dn: name=admin,cn=users,cn=ipa1.example.test,cn=sysdb
createTimestamp: 1376694323
fullName: Administrator
gecos: Administrator
gidNumber: 375200000
name: admin
objectClass: user
uidNumber: 375200000
userPrincipalName: admin.TEST
nameAlias: admin
objectSIDString: S-1-5-21-2791864261-2397021873-3522414585-500
originalDN: uid=admin,cn=users,cn=accounts,dc=ipa1,dc=example,dc=test
lastUpdate: 1376694323
dataExpireTimestamp: 1376699723
memberof: name=admins,cn=groups,cn=ipa1.example.test,cn=sysdb
originalMemberOf: cn=admins,cn=groups,cn=accounts,dc=ipa1,dc=example,dc=test
distinguishedName: name=admin,cn=users,cn=ipa1.example.test,cn=sysdb

# returned 2 records
# 2 entries
# 0 referrals
Comment 7 Fedora Update System 2013-08-18 21:37:48 UTC 
freeipa-3.3.0-2.fc19, sssd-1.11.0-0.1.beta2.fc19, slapi-nis-0.47.7-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.