Bug 1125187 - simple_allow_groups does not lookup groups from other AD domains
Summary: simple_allow_groups does not lookup groups from other AD domains
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.6
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-31 09:29 UTC by Kaushik Banerjee
Modified: 2014-10-14 04:49 UTC (History)
9 users (show)

Fixed In Version: sssd-1.11.6-28.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-14 04:49:13 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1375 normal SHIPPED_LIVE sssd bug fix and enhancement update 2014-10-14 01:06:25 UTC

Description Kaushik Banerjee 2014-07-31 09:29:23 UTC
Description of problem:
simple_allow_groups does not lookup groups from other AD domains

Version-Release number of selected component (if applicable):
sssd-1.11.6-12.el6

How reproducible:
Always

Steps to Reproduce:
1. sssd configured for ad provider. primary domain=sssdad.com
[domain/sssdad.com]
id_provider = ad
debug_level = 0xFFF0
use_fully_qualified_names = True
access_provider = simple
simple_allow_groups=group1_dom3@child1.sssdad.com

2. Lookup the child domain group
# getent group group1_dom3@child1.sssdad.com
group1_dom3@child1.sssdad.com:*:1184401714:user1_dom3@child1.sssdad.com

3. # ssh -l user1_dom3@child1.sssdad.com localhost
user1_dom3@child1.sssdad.com@localhost's password: 
Connection closed by ::1

Actual results:
Access is denied

Domain log shows:
(Thu Jul 31 05:07:32 2014) [sssd[be[sssdad.com]]] [simple_check_get_groups_primary] (0x0040): Could not look up primary group [1184401711]: [2][No such file or directory]
(Thu Jul 31 05:07:32 2014) [sssd[be[sssdad.com]]] [simple_check_get_groups_send] (0x0400): All groups had name attribute
(Thu Jul 31 05:07:32 2014) [sssd[be[sssdad.com]]] [simple_access_check_done] (0x2000): Group check done
(Thu Jul 31 05:07:32 2014) [sssd[be[sssdad.com]]] [simple_access_check_recv] (0x1000): Access not granted

Expected results:
Access should be permitted

Additional info:

Comment 1 Jakub Hrozek 2014-07-31 09:35:10 UTC
Pavel, didn't we fix this bug some time ago?

Comment 3 Pavel Reichl 2014-07-31 11:08:19 UTC
Jakub,

I believe you mean:

https://bugzilla.redhat.com/show_bug.cgi?id=1092766

Comment 6 Jakub Hrozek 2014-08-14 07:57:55 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2407

Comment 10 Jakub Hrozek 2014-08-26 15:45:25 UTC
Fixed upstream:

    master:
        99f53d551a1db5d8023b4271eb691d554257624c
        174e9ec6f88d709b6e9481ed06a322c0fc495842
        21f2821a4420291c8eb3ee9d427e9e1b0a1d9989 
    sssd-1-11:
        414f520ee793cdee5973eeab35a09a70081f95bd
        6656b818d1b4400052aee33ab50385abbe1b1a6a
        97e5ea0490f05107c5d4d1773841b4a533b737f2

Comment 12 Kaushik Banerjee 2014-08-28 09:00:19 UTC
Verified in version sssd-1.11.6-28.el6

Output from beaker run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_simple_006: simple_allow_groups=DOMAIN\group
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'su_success user1_dom1@sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Command 'su_success user1_dom2@sssdad_tree.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Command 'su_success user1_dom3@child1.sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Command 'su_permission_denied user2_dom1@sssdad.com Secret123' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 14s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: ad_forest_simple_006: simple_allow_groups=DOMAIN\group

Comment 13 errata-xmlrpc 2014-10-14 04:49:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html


Note You need to log in before you can comment on or make changes to this bug.