Bug 1002597 - ad: unable to resolve membership when user is from different domain than group
ad: unable to resolve membership when user is from different domain than group
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-29 09:51 EDT by Dmitri Pal
Modified: 2015-09-29 03:11 EDT (History)
5 users (show)

See Also:
Fixed In Version: sssd-1.11.2-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 08:13:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dmitri Pal 2013-08-29 09:51:32 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2064

I have the following configuration of active directory forest:

{{{
ad.pb (root domain) <-- (transitive trust) --> sub.ad.pb (child domain)

ChildUsers (universal group in ad.pb) contains
subaduser@sub.ad.pb (user from child domain)
}}}

SSSD is not able to resolve this membership. It probably tries to search subaduser in ad.pb LDAP instead of Global Catalog.


{{{
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-3940105347-3434501867-2690409756-1110)(objectclass=group)(name=*))][DC=ad,DC=pb].
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results.
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb].
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_done] (0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-03100742, data 0, 1 access points
	ref 1: 'sub.ad.pb'

(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Referral(10), 0000202B: RefErr: DSID-03100742, data 0, 1 access points
	ref 1: 'sub.ad.pb'

(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_nested_group_single_step_done] (0x0020): Error processing direct membership [5]: Input/output error
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_nested_done] (0x0020): Nested group processing failed: [5][Input/output error]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_id_op_done] (0x0200): communication error on cached connection, moving to next server
}}}
Comment 1 Jakub Hrozek 2013-08-29 13:22:17 EDT
We know the root cause -> ASSIGNED
Comment 2 Jakub Hrozek 2013-10-30 18:08:30 EDT
sssd-1-11:
    90fffc3ac673b5d030189e050ca2955f0ef2a429
    fc2dca9b7009885e1ceda8ab1df57c8e98f4f2b0
    d1fd7269420dfdb46cf60e138af6ba051e5ef3bb
    3d82882a2f0bc833278709b3c56d34337d151d58
    4b868a12602c9588f7beef6664c97b40cf83acf8
    a2c1db6b43374e7811bcf12d4b90640b96e695f2
    7cf785f9326a32afd0a52117f89d854244b1ce40 
master:
    55206e06bcfa0322cd817d34457e330545d6b877
    05f6866b89f790e25510b7eeca88ded617294011
    b6a867be96dbe802c8dc8a9ce635040ecf77b56f
    85eb8a5e98e208393b205615e3895a64905eacf2
    d81ce5550ba1fdebd958483d7322052c8b39c33b
    c704c35ae7ab3861c78371437e3a9ed06ba93d8b
    76da70d5a5b5b05b926840d7692a31915d3ca8eb
Comment 4 Kaushik Banerjee 2014-01-13 06:59:23 EST
Verified in version 1.11.2-23.el7

Report from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_02: bz 1002597 User and group memberships from different domains
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'getent group group2_dom2@sssdad_tree.com | grep user1_dom2 | grep user2_dom1 | grep user2_dom3' (Expected 0, got 0)
:: [   PASS   ] :: Running 'id user3_dom3@child1.sssdad.com | grep group3_dom3 | grep group3_dom2 | grep group3_dom1' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 2m 2s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: ad_forest_02: User and group memberships from different domains
Comment 5 Ludek Smid 2014-06-13 08:13:00 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.