1030699 – [RFE] Support initgroups for unauthenticated AD users

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1030699 - [RFE] Support initgroups for unauthenticated AD users

Summary: [RFE] Support initgroups for unauthenticated AD users

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:	1171382 1171383
Blocks:	1168378
TreeView+	depends on / blocked

Reported:	2013-11-15 01:10 UTC by Scott Poore
Modified:	2015-04-30 14:22 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ipa-4.1.0-0.1.alpha1.el7
Doc Type:	Enhancement
Doc Text:
Clone Of:
Clones:	1168378 (view as bug list)
Environment:
Last Closed:	2015-03-05 10:09:57 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
sssd logs from id lookup missing domain users (75.66 KB, application/x-gzip) 2014-12-05 16:42 UTC, Scott Poore	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	0	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 14:50:39 UTC

Description Scott Poore 2013-11-15 01:10:22 UTC

Description of problem:

Running the id command for AD user on an IPA client does not show all of the group memberships as shown on an IPA server.

MASTER:
[root@nightcrawler ~]# id 'ADLABS\aduser1'
uid=1436801369(aduser1) gid=1436801369(aduser1) groups=1436801369(aduser1),1436800513(domain users),1436801883(adgroup1)

REPLICA:
[root@apollo ~]# id 'ADLABS\aduser1'
uid=1436801369(aduser1) gid=1436801369(aduser1) groups=1436801369(aduser1),1436800513(domain users),1436801883(adgroup1)

CLIENT:
[root@qe-blade-04 ~]# id 'ADLABS\aduser1'
uid=1436801369(aduser1) gid=1436801369(aduser1) groups=1436801369(aduser1)

Version-Release number of selected component (if applicable):


How reproducible:
seen frequently in automated tests.  

However, in one instance, after logging into the server, I saw same results as expected.

Steps to Reproduce:
0.  have access to AD with user aduser
1.  ipa-server-install # on server
2.  ipa-client-install # on client
3.  ipa-adtrust-install # on server
4.  ipa trust-add # on server
5.  id 'AD\aduser' # on both

Actual results:
5. id shows different group lists for server and client.  client is missing groups.

Expected results:
5. same group list shown on client as on server.


Additional info:

Comment 2 Martin Kosek 2013-11-15 08:22:21 UTC

Alexander, isn't this behavior intended? I.e. one cannot see all groups of an AD user until he logs in to the machine (and thus groups can be read from ms-pac)?

Comment 3 Alexander Bokovoy 2013-11-15 08:32:21 UTC

Yes, unless MS-PAC is seen upon logon, full list of groups is not available on client, we don't do initgroups() call over extdom.

In IPA server mode SSSD has to resolve all groups for legacy clients support, thus IPA masters always have initgroups() correctly populated.

We are discussing whether it makes sense to expand initgroups() to go over extdom. Sumit will have more details.

Comment 4 Martin Kosek 2013-11-15 11:31:06 UTC

Adding Sumit to CC to advise.

Comment 5 Sumit Bose 2013-11-15 13:26:13 UTC

As Alexander said this is intended behavior.

Imo the needed changes to support initgroups over extdom are out of scope for RHEL7. I would suggest to rename this ticket and move it as an RFE to RHEL-7.1.

Comment 6 Martin Kosek 2013-11-15 14:14:03 UTC

Ok, makes sense - renaming the ticket.

Comment 7 Martin Kosek 2013-11-17 21:11:09 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4031

Comment 8 Dmitri Pal 2013-11-26 14:01:35 UTC

Might have to be back ported to 6 & 7.

Comment 10 Martin Kosek 2014-09-30 06:35:15 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/3c75b9171e5721097f6ba2855e41f0e4129b907b
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/2006d8759b767364031052480a3fc8947dea0998

Comment 12 Scott Poore 2014-12-04 18:36:31 UTC

I think I can verify this but, I need to confirm that "Domain Users" is special case and will not necessarily show up in lookups here?

MASTER:

[root@rhel7-1 systemd]# id 'ADROOT1\Aduser1'
uid=1108801104(aduser1.com) gid=1108801104(aduser1.com) groups=1108801104(aduser1.com),1108800513(domain users.com)

[root@rhel7-1 systemd]# id 'ADROOT1\bzuser1'
uid=1108801109(bzuser1.com) gid=1108801109(bzuser1.com) groups=1108801109(bzuser1.com),1108801112(bzgroup3.com),1108801110(bzgroup1.com),1108801111(bzgroup2.com),1108800513(domain users.com)


CLIENT:

[root@rhel7-2 ~]# id 'ADROOT1\Aduser1'
uid=1108801104(aduser1.com) gid=1108801104(aduser1.com) groups=1108801104(aduser1.com),1108800513(domain users.com)

[root@rhel7-2 ~]# id 'ADROOT1\bzuser1'
uid=1108801109(bzuser1.com) gid=1108801109(bzuser1.com) groups=1108801109(bzuser1.com),1108801112(bzgroup3.com),1108801110(bzgroup1.com),1108801111(bzgroup2.com)

On the client I see all the expected groups except for "Domain Users".  Is that still going to be the case with this change?

Comment 13 Scott Poore 2014-12-04 20:33:05 UTC

FYI, per previous expectations, I can see "Domain Users" after login:

[root@rhel7-2 ~]# ssh -l 'ADROOT1\bzuser1' $(hostname)
ADROOT1\bzuser1.example.com's password: 
Could not chdir to home directory /home/adroot1.example.com/bzuser1: No such file or directory

-sh-4.2$ id
uid=1108801109(bzuser1.com) gid=1108801109(bzuser1.com) groups=1108801109(bzuser1.com),1108800513(domain users.com),1108801110(bzgroup1.com),1108801111(bzgroup2.com),1108801112(bzgroup3.com) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.2$ exit
logout
Connection to rhel7-2.ipa1.example.com closed.

[root@rhel7-2 ~]# id 'ADROOT1\bzuser1'
uid=1108801109(bzuser1.com) gid=1108801109(bzuser1.com) groups=1108801109(bzuser1.com),1108801112(bzgroup3.com),1108801110(bzgroup1.com),1108801111(bzgroup2.com),1108800513(domain users.com)

So, is "Domain Users" group an exception to this change?

Comment 14 Sumit Bose 2014-12-05 10:51:56 UTC

Whatever id returns on the server should be returned on the client as well. Can you retry with an empty cache on the client?

Comment 15 Scott Poore 2014-12-05 15:52:44 UTC

That was from a fresh install.  One of the first commands run after IPA installed and trust setup.

Is it possible that it's a first time lookup hiccup?  

I was able to rebuild my env and reproduce the problem.  Then I enabled sssd debug_level = 9.  After clearing cache and restarting, I'm now seeing "Domain Users" group.

I'll rebuild env and set sssd debugging before I test the first time to see if I can catch it there.

Comment 16 Scott Poore 2014-12-05 16:42:08 UTC

Created attachment 965173 [details]
sssd logs from id lookup missing domain users

Comment 17 Scott Poore 2014-12-05 16:43:45 UTC

Ok, see attachement sssd.logs.  This was after missing domain users from bzuser1 lookup:

[root@rhel7-2 bad]# id 'ADROOT1\bzuser1'
uid=1108801109(bzuser1.com) gid=1108801109(bzuser1.com) groups=1108801109(bzuser1.com),1108801112(bzgroup3.com),1108801110(bzgroup1.com),1108801111(bzgroup2.com)

Comment 18 Sumit Bose 2014-12-11 09:36:08 UTC

Hi Scott, thank you for the logs, there is indeed an issue in the SSSD side which prevents to user to be added to the domain users group properly. I'll fix it.

Comment 19 Sumit Bose 2014-12-11 13:14:25 UTC

SSSD ticket is https://fedorahosted.org/sssd/ticket/2529

Comment 20 Scott Poore 2014-12-12 16:20:21 UTC

Ok, does that need a separate bz created since it is a separate component?

I'm changing this one back to assigned until that issue is fixed and ready for QA.  If we do have a separate BZ for the sssd issue, I think that it should be tagged as blocking this one, right?  If not, will you just add sssd to the "Fixed in version" field?

Thanks

Comment 21 Jakub Hrozek 2014-12-12 16:23:54 UTC

(In reply to Scott Poore from comment #20)
> Ok, does that need a separate bz created since it is a separate component?
> 
> I'm changing this one back to assigned until that issue is fixed and ready
> for QA.

Thank you there is a patch on the list already.

>  If we do have a separate BZ for the sssd issue, I think that it
> should be tagged as blocking this one, right?  If not, will you just add
> sssd to the "Fixed in version" field?

Since it's a bug in an acked feature, I think it's fine to re-use this bug.

Comment 22 Martin Kosek 2014-12-17 12:34:29 UTC

No change is needed for IPA, this issue will be fixed by patch for Bug 1171383 and Bug 1171382.

Comment 23 Martin Kosek 2015-01-06 13:08:03 UTC

SSSD bugs were fixed in sssd-1.12.2-38.el7, moving back to ON_QA.

Comment 24 Scott Poore 2015-01-09 18:11:31 UTC

Verified.

Version ::

ipa-client-4.1.0-13.el7.x86_64
sssd-1.12.2-39.el7.x86_64

Results ::

Again tested right after install/setup.

Server:

[root@rhel7-1 ~]# ipa trust-add adroot1.example.com --admin Administrator --range-type=ipa-ad-trust --password
Active Directory domain administrator's password: 
------------------------------------------------------------
Added Active Directory trust for realm "adroot1.example.com"
------------------------------------------------------------
  Realm name: adroot1.example.com
  Domain NetBIOS name: ADROOT1
  Domain Security Identifier: S-1-5-21-663451879-2037396169-3163888224
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4,
                          S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12,
                          S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4,
                          S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12,
                          S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

[root@rhel7-1 ~]# id 'ADROOT1\bzuser1'
uid=1108801109(bzuser1.com) gid=1108801109(bzuser1.com) groups=1108801109(bzuser1.com),1108801112(bzgroup3.com),1108801110(bzgroup1.com),1108801111(bzgroup2.com),1108800513(domain users.com)

[root@rhel7-1 ~]# id 'ADROOT1\Aduser1'
uid=1108801104(aduser1.com) gid=1108801104(aduser1.com) groups=1108801104(aduser1.com),1108800513(domain users.com)

Client:

[root@rhel7-2 ~]# id 'ADROOT1\bzuser1'
id: ADROOT1\bzuser1: no such user

[root@rhel7-2 ~]# service sssd restart
Redirecting to /bin/systemctl restart  sssd.service

# restart above was necessary on client to pick up trust without natural timeout/update:

[root@rhel7-2 ~]# id 'ADROOT1\bzuser1'
uid=1108801109(bzuser1.com) gid=1108801109(bzuser1.com) groups=1108801109(bzuser1.com),1108801112(bzgroup3.com),1108801110(bzgroup1.com),1108801111(bzgroup2.com),1108800513(domain users.com)

[root@rhel7-2 ~]# id 'ADROOT1\Aduser1'
uid=1108801104(aduser1.com) gid=1108801104(aduser1.com) groups=1108801104(aduser1.com),1108800513(domain users.com)

Comment 26 errata-xmlrpc 2015-03-05 10:09:57 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.