Bug 1030699 - [RFE] Support initgroups for unauthenticated AD users
[RFE] Support initgroups for unauthenticated AD users
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Martin Kosek
Namita Soman
: FutureFeature
Depends On: 1171382 1171383
Blocks: 1168378
  Show dependency treegraph
 
Reported: 2013-11-14 20:10 EST by Scott Poore
Modified: 2015-04-30 10:22 EDT (History)
7 users (show)

See Also:
Fixed In Version: ipa-4.1.0-0.1.alpha1.el7
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 1168378 (view as bug list)
Environment:
Last Closed: 2015-03-05 05:09:57 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
sssd logs from id lookup missing domain users (75.66 KB, application/x-gzip)
2014-12-05 11:42 EST, Scott Poore
no flags Details

  None (edit)
Description Scott Poore 2013-11-14 20:10:22 EST
Description of problem:

Running the id command for AD user on an IPA client does not show all of the group memberships as shown on an IPA server.

MASTER:
[root@nightcrawler ~]# id 'ADLABS\aduser1'
uid=1436801369(aduser1@adlabs.com) gid=1436801369(aduser1@adlabs.com) groups=1436801369(aduser1@adlabs.com),1436800513(domain users@adlabs.com),1436801883(adgroup1@adlabs.com)

REPLICA:
[root@apollo ~]# id 'ADLABS\aduser1'
uid=1436801369(aduser1@adlabs.com) gid=1436801369(aduser1@adlabs.com) groups=1436801369(aduser1@adlabs.com),1436800513(domain users@adlabs.com),1436801883(adgroup1@adlabs.com)

CLIENT:
[root@qe-blade-04 ~]# id 'ADLABS\aduser1'
uid=1436801369(aduser1@adlabs.com) gid=1436801369(aduser1@adlabs.com) groups=1436801369(aduser1@adlabs.com)

Version-Release number of selected component (if applicable):


How reproducible:
seen frequently in automated tests.  

However, in one instance, after logging into the server, I saw same results as expected.

Steps to Reproduce:
0.  have access to AD with user aduser
1.  ipa-server-install # on server
2.  ipa-client-install # on client
3.  ipa-adtrust-install # on server
4.  ipa trust-add # on server
5.  id 'AD\aduser' # on both

Actual results:
5. id shows different group lists for server and client.  client is missing groups.

Expected results:
5. same group list shown on client as on server.


Additional info:
Comment 2 Martin Kosek 2013-11-15 03:22:21 EST
Alexander, isn't this behavior intended? I.e. one cannot see all groups of an AD user until he logs in to the machine (and thus groups can be read from ms-pac)?
Comment 3 Alexander Bokovoy 2013-11-15 03:32:21 EST
Yes, unless MS-PAC is seen upon logon, full list of groups is not available on client, we don't do initgroups() call over extdom.

In IPA server mode SSSD has to resolve all groups for legacy clients support, thus IPA masters always have initgroups() correctly populated.

We are discussing whether it makes sense to expand initgroups() to go over extdom. Sumit will have more details.
Comment 4 Martin Kosek 2013-11-15 06:31:06 EST
Adding Sumit to CC to advise.
Comment 5 Sumit Bose 2013-11-15 08:26:13 EST
As Alexander said this is intended behavior.

Imo the needed changes to support initgroups over extdom are out of scope for RHEL7. I would suggest to rename this ticket and move it as an RFE to RHEL-7.1.
Comment 6 Martin Kosek 2013-11-15 09:14:03 EST
Ok, makes sense - renaming the ticket.
Comment 7 Martin Kosek 2013-11-17 16:11:09 EST
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4031
Comment 8 Dmitri Pal 2013-11-26 09:01:35 EST
Might have to be back ported to 6 & 7.
Comment 12 Scott Poore 2014-12-04 13:36:31 EST
I think I can verify this but, I need to confirm that "Domain Users" is special case and will not necessarily show up in lookups here?

MASTER:

[root@rhel7-1 systemd]# id 'ADROOT1\Aduser1'
uid=1108801104(aduser1@adroot1.example.com) gid=1108801104(aduser1@adroot1.example.com) groups=1108801104(aduser1@adroot1.example.com),1108800513(domain users@adroot1.example.com)

[root@rhel7-1 systemd]# id 'ADROOT1\bzuser1'
uid=1108801109(bzuser1@adroot1.example.com) gid=1108801109(bzuser1@adroot1.example.com) groups=1108801109(bzuser1@adroot1.example.com),1108801112(bzgroup3@adroot1.example.com),1108801110(bzgroup1@adroot1.example.com),1108801111(bzgroup2@adroot1.example.com),1108800513(domain users@adroot1.example.com)


CLIENT:

[root@rhel7-2 ~]# id 'ADROOT1\Aduser1'
uid=1108801104(aduser1@adroot1.example.com) gid=1108801104(aduser1@adroot1.example.com) groups=1108801104(aduser1@adroot1.example.com),1108800513(domain users@adroot1.example.com)

[root@rhel7-2 ~]# id 'ADROOT1\bzuser1'
uid=1108801109(bzuser1@adroot1.example.com) gid=1108801109(bzuser1@adroot1.example.com) groups=1108801109(bzuser1@adroot1.example.com),1108801112(bzgroup3@adroot1.example.com),1108801110(bzgroup1@adroot1.example.com),1108801111(bzgroup2@adroot1.example.com)

On the client I see all the expected groups except for "Domain Users".  Is that still going to be the case with this change?
Comment 13 Scott Poore 2014-12-04 15:33:05 EST
FYI, per previous expectations, I can see "Domain Users" after login:

[root@rhel7-2 ~]# ssh -l 'ADROOT1\bzuser1' $(hostname)
ADROOT1\bzuser1@rhel7-2.ipa1.example.com's password: 
Could not chdir to home directory /home/adroot1.example.com/bzuser1: No such file or directory

-sh-4.2$ id
uid=1108801109(bzuser1@adroot1.example.com) gid=1108801109(bzuser1@adroot1.example.com) groups=1108801109(bzuser1@adroot1.example.com),1108800513(domain users@adroot1.example.com),1108801110(bzgroup1@adroot1.example.com),1108801111(bzgroup2@adroot1.example.com),1108801112(bzgroup3@adroot1.example.com) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.2$ exit
logout
Connection to rhel7-2.ipa1.example.com closed.

[root@rhel7-2 ~]# id 'ADROOT1\bzuser1'
uid=1108801109(bzuser1@adroot1.example.com) gid=1108801109(bzuser1@adroot1.example.com) groups=1108801109(bzuser1@adroot1.example.com),1108801112(bzgroup3@adroot1.example.com),1108801110(bzgroup1@adroot1.example.com),1108801111(bzgroup2@adroot1.example.com),1108800513(domain users@adroot1.example.com)

So, is "Domain Users" group an exception to this change?
Comment 14 Sumit Bose 2014-12-05 05:51:56 EST
Whatever id returns on the server should be returned on the client as well. Can you retry with an empty cache on the client?
Comment 15 Scott Poore 2014-12-05 10:52:44 EST
That was from a fresh install.  One of the first commands run after IPA installed and trust setup.

Is it possible that it's a first time lookup hiccup?  

I was able to rebuild my env and reproduce the problem.  Then I enabled sssd debug_level = 9.  After clearing cache and restarting, I'm now seeing "Domain Users" group.

I'll rebuild env and set sssd debugging before I test the first time to see if I can catch it there.
Comment 16 Scott Poore 2014-12-05 11:42:08 EST
Created attachment 965173 [details]
sssd logs from id lookup missing domain users
Comment 17 Scott Poore 2014-12-05 11:43:45 EST
Ok, see attachement sssd.logs.  This was after missing domain users from bzuser1 lookup:

[root@rhel7-2 bad]# id 'ADROOT1\bzuser1'
uid=1108801109(bzuser1@adroot1.example.com) gid=1108801109(bzuser1@adroot1.example.com) groups=1108801109(bzuser1@adroot1.example.com),1108801112(bzgroup3@adroot1.example.com),1108801110(bzgroup1@adroot1.example.com),1108801111(bzgroup2@adroot1.example.com)
Comment 18 Sumit Bose 2014-12-11 04:36:08 EST
Hi Scott, thank you for the logs, there is indeed an issue in the SSSD side which prevents to user to be added to the domain users group properly. I'll fix it.
Comment 19 Sumit Bose 2014-12-11 08:14:25 EST
SSSD ticket is https://fedorahosted.org/sssd/ticket/2529
Comment 20 Scott Poore 2014-12-12 11:20:21 EST
Ok, does that need a separate bz created since it is a separate component?

I'm changing this one back to assigned until that issue is fixed and ready for QA.  If we do have a separate BZ for the sssd issue, I think that it should be tagged as blocking this one, right?  If not, will you just add sssd to the "Fixed in version" field?

Thanks
Comment 21 Jakub Hrozek 2014-12-12 11:23:54 EST
(In reply to Scott Poore from comment #20)
> Ok, does that need a separate bz created since it is a separate component?
> 
> I'm changing this one back to assigned until that issue is fixed and ready
> for QA.

Thank you there is a patch on the list already.

>  If we do have a separate BZ for the sssd issue, I think that it
> should be tagged as blocking this one, right?  If not, will you just add
> sssd to the "Fixed in version" field?

Since it's a bug in an acked feature, I think it's fine to re-use this bug.
Comment 22 Martin Kosek 2014-12-17 07:34:29 EST
No change is needed for IPA, this issue will be fixed by patch for Bug 1171383 and Bug 1171382.
Comment 23 Martin Kosek 2015-01-06 08:08:03 EST
SSSD bugs were fixed in sssd-1.12.2-38.el7, moving back to ON_QA.
Comment 24 Scott Poore 2015-01-09 13:11:31 EST
Verified.

Version ::

ipa-client-4.1.0-13.el7.x86_64
sssd-1.12.2-39.el7.x86_64

Results ::

Again tested right after install/setup.

Server:

[root@rhel7-1 ~]# ipa trust-add adroot1.example.com --admin Administrator --range-type=ipa-ad-trust --password
Active Directory domain administrator's password: 
------------------------------------------------------------
Added Active Directory trust for realm "adroot1.example.com"
------------------------------------------------------------
  Realm name: adroot1.example.com
  Domain NetBIOS name: ADROOT1
  Domain Security Identifier: S-1-5-21-663451879-2037396169-3163888224
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4,
                          S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12,
                          S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4,
                          S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12,
                          S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@rhel7-1 ~]# id 'ADROOT1\bzuser1'
uid=1108801109(bzuser1@adroot1.example.com) gid=1108801109(bzuser1@adroot1.example.com) groups=1108801109(bzuser1@adroot1.example.com),1108801112(bzgroup3@adroot1.example.com),1108801110(bzgroup1@adroot1.example.com),1108801111(bzgroup2@adroot1.example.com),1108800513(domain users@adroot1.example.com)

[root@rhel7-1 ~]# id 'ADROOT1\Aduser1'
uid=1108801104(aduser1@adroot1.example.com) gid=1108801104(aduser1@adroot1.example.com) groups=1108801104(aduser1@adroot1.example.com),1108800513(domain users@adroot1.example.com)

Client:

[root@rhel7-2 ~]# id 'ADROOT1\bzuser1'
id: ADROOT1\bzuser1: no such user

[root@rhel7-2 ~]# service sssd restart
Redirecting to /bin/systemctl restart  sssd.service

# restart above was necessary on client to pick up trust without natural timeout/update:

[root@rhel7-2 ~]# id 'ADROOT1\bzuser1'
uid=1108801109(bzuser1@adroot1.example.com) gid=1108801109(bzuser1@adroot1.example.com) groups=1108801109(bzuser1@adroot1.example.com),1108801112(bzgroup3@adroot1.example.com),1108801110(bzgroup1@adroot1.example.com),1108801111(bzgroup2@adroot1.example.com),1108800513(domain users@adroot1.example.com)

[root@rhel7-2 ~]# id 'ADROOT1\Aduser1'
uid=1108801104(aduser1@adroot1.example.com) gid=1108801104(aduser1@adroot1.example.com) groups=1108801104(aduser1@adroot1.example.com),1108800513(domain users@adroot1.example.com)
Comment 26 errata-xmlrpc 2015-03-05 05:09:57 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.