Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1125187 - simple_allow_groups does not lookup groups from other AD domains
simple_allow_groups does not lookup groups from other AD domains
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.6
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-31 05:29 EDT by Kaushik Banerjee
Modified: 2014-10-14 00:49 EDT (History)
9 users (show)

See Also:
Fixed In Version: sssd-1.11.6-28.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-14 00:49:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1375 normal SHIPPED_LIVE sssd bug fix and enhancement update 2014-10-13 21:06:25 EDT

  None (edit)
Description Kaushik Banerjee 2014-07-31 05:29:23 EDT 
Description of problem:
simple_allow_groups does not lookup groups from other AD domains

Version-Release number of selected component (if applicable):
sssd-1.11.6-12.el6

How reproducible:
Always

Steps to Reproduce:
1. sssd configured for ad provider. primary domain=sssdad.com
[domain/sssdad.com]
id_provider = ad
debug_level = 0xFFF0
use_fully_qualified_names = True
access_provider = simple
simple_allow_groups=group1_dom3@child1.sssdad.com

2. Lookup the child domain group
# getent group group1_dom3@child1.sssdad.com
group1_dom3@child1.sssdad.com:*:1184401714:user1_dom3@child1.sssdad.com

3. # ssh -l user1_dom3@child1.sssdad.com localhost
user1_dom3@child1.sssdad.com@localhost's password: 
Connection closed by ::1

Actual results:
Access is denied

Domain log shows:
(Thu Jul 31 05:07:32 2014) [sssd[be[sssdad.com]]] [simple_check_get_groups_primary] (0x0040): Could not look up primary group [1184401711]: [2][No such file or directory]
(Thu Jul 31 05:07:32 2014) [sssd[be[sssdad.com]]] [simple_check_get_groups_send] (0x0400): All groups had name attribute
(Thu Jul 31 05:07:32 2014) [sssd[be[sssdad.com]]] [simple_access_check_done] (0x2000): Group check done
(Thu Jul 31 05:07:32 2014) [sssd[be[sssdad.com]]] [simple_access_check_recv] (0x1000): Access not granted

Expected results:
Access should be permitted

Additional info:
Comment 1 Jakub Hrozek 2014-07-31 05:35:10 EDT 
Pavel, didn't we fix this bug some time ago?
Comment 3 Pavel Reichl 2014-07-31 07:08:19 EDT 
Jakub,

I believe you mean:

https://bugzilla.redhat.com/show_bug.cgi?id=1092766
Comment 6 Jakub Hrozek 2014-08-14 03:57:55 EDT 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2407
Comment 10 Jakub Hrozek 2014-08-26 11:45:25 EDT 
Fixed upstream:

    master:
        99f53d551a1db5d8023b4271eb691d554257624c
        174e9ec6f88d709b6e9481ed06a322c0fc495842
        21f2821a4420291c8eb3ee9d427e9e1b0a1d9989 
    sssd-1-11:
        414f520ee793cdee5973eeab35a09a70081f95bd
        6656b818d1b4400052aee33ab50385abbe1b1a6a
        97e5ea0490f05107c5d4d1773841b4a533b737f2
Comment 12 Kaushik Banerjee 2014-08-28 05:00:19 EDT 
Verified in version sssd-1.11.6-28.el6

Output from beaker run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_simple_006: simple_allow_groups=DOMAIN\group
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'su_success user1_dom1@sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Command 'su_success user1_dom2@sssdad_tree.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Command 'su_success user1_dom3@child1.sssdad.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Command 'su_permission_denied user2_dom1@sssdad.com Secret123' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 14s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: ad_forest_simple_006: simple_allow_groups=DOMAIN\group
Comment 13 errata-xmlrpc 2014-10-14 00:49:13 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.