RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1002597 - ad: unable to resolve membership when user is from different domain than group
Summary: ad: unable to resolve membership when user is from different domain than group
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-29 13:51 UTC by Dmitri Pal
Modified: 2020-05-02 17:27 UTC (History)
5 users (show)

Fixed In Version: sssd-1.11.2-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 12:13:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3106 0 None None None 2020-05-02 17:27:04 UTC

Description Dmitri Pal 2013-08-29 13:51:32 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2064

I have the following configuration of active directory forest:

{{{
ad.pb (root domain) <-- (transitive trust) --> sub.ad.pb (child domain)

ChildUsers (universal group in ad.pb) contains
subaduser.pb (user from child domain)
}}}

SSSD is not able to resolve this membership. It probably tries to search subaduser in ad.pb LDAP instead of Global Catalog.


{{{
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-3940105347-3434501867-2690409756-1110)(objectclass=group)(name=*))][DC=ad,DC=pb].
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results.
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=user)][CN=subaduser,CN=Users,DC=sub,DC=ad,DC=pb].
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_done] (0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-03100742, data 0, 1 access points
	ref 1: 'sub.ad.pb'

(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Referral(10), 0000202B: RefErr: DSID-03100742, data 0, 1 access points
	ref 1: 'sub.ad.pb'

(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_nested_group_single_step_done] (0x0020): Error processing direct membership [5]: Input/output error
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_nested_done] (0x0020): Nested group processing failed: [5][Input/output error]
(Thu Aug 29 13:33:48 2013) [sssd[be[AD.PB]]] [sdap_id_op_done] (0x0200): communication error on cached connection, moving to next server
}}}
Comment 1 Jakub Hrozek 2013-08-29 17:22:17 UTC 
We know the root cause -> ASSIGNED
Comment 2 Jakub Hrozek 2013-10-30 22:08:30 UTC 
sssd-1-11:
    90fffc3ac673b5d030189e050ca2955f0ef2a429
    fc2dca9b7009885e1ceda8ab1df57c8e98f4f2b0
    d1fd7269420dfdb46cf60e138af6ba051e5ef3bb
    3d82882a2f0bc833278709b3c56d34337d151d58
    4b868a12602c9588f7beef6664c97b40cf83acf8
    a2c1db6b43374e7811bcf12d4b90640b96e695f2
    7cf785f9326a32afd0a52117f89d854244b1ce40 
master:
    55206e06bcfa0322cd817d34457e330545d6b877
    05f6866b89f790e25510b7eeca88ded617294011
    b6a867be96dbe802c8dc8a9ce635040ecf77b56f
    85eb8a5e98e208393b205615e3895a64905eacf2
    d81ce5550ba1fdebd958483d7322052c8b39c33b
    c704c35ae7ab3861c78371437e3a9ed06ba93d8b
    76da70d5a5b5b05b926840d7692a31915d3ca8eb
Comment 4 Kaushik Banerjee 2014-01-13 11:59:23 UTC 
Verified in version 1.11.2-23.el7

Report from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_02: bz 1002597 User and group memberships from different domains
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Running 'getent group group2_dom2 | grep user1_dom2 | grep user2_dom1 | grep user2_dom3' (Expected 0, got 0)
:: [   PASS   ] :: Running 'id user3_dom3.com | grep group3_dom3 | grep group3_dom2 | grep group3_dom1' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 2m 2s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: ad_forest_02: User and group memberships from different domains
Comment 5 Ludek Smid 2014-06-13 12:13:00 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.