Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1125187

Summary: simple_allow_groups does not lookup groups from other AD domains
Product: Red Hat Enterprise Linux 6 Reporter: Kaushik Banerjee <kbanerje>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: high Docs Contact:
Priority: high    
Version: 6.6CC: dpal, grajaiya, jgalipea, kbanerje, lslebodn, mkosek, pbrezina, preichl, tlavigne
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.11.6-28.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 04:49:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kaushik Banerjee 2014-07-31 09:29:23 UTC 
Description of problem:
simple_allow_groups does not lookup groups from other AD domains

Version-Release number of selected component (if applicable):
sssd-1.11.6-12.el6

How reproducible:
Always

Steps to Reproduce:
1. sssd configured for ad provider. primary domain=sssdad.com
[domain/sssdad.com]
id_provider = ad
debug_level = 0xFFF0
use_fully_qualified_names = True
access_provider = simple
simple_allow_groups=group1_dom3.com

2. Lookup the child domain group
# getent group group1_dom3.com
group1_dom3.com:*:1184401714:user1_dom3.com

3. # ssh -l user1_dom3.com localhost
user1_dom3.com@localhost's password: 
Connection closed by ::1

Actual results:
Access is denied

Domain log shows:
(Thu Jul 31 05:07:32 2014) [sssd[be[sssdad.com]]] [simple_check_get_groups_primary] (0x0040): Could not look up primary group [1184401711]: [2][No such file or directory]
(Thu Jul 31 05:07:32 2014) [sssd[be[sssdad.com]]] [simple_check_get_groups_send] (0x0400): All groups had name attribute
(Thu Jul 31 05:07:32 2014) [sssd[be[sssdad.com]]] [simple_access_check_done] (0x2000): Group check done
(Thu Jul 31 05:07:32 2014) [sssd[be[sssdad.com]]] [simple_access_check_recv] (0x1000): Access not granted

Expected results:
Access should be permitted

Additional info:
Comment 1 Jakub Hrozek 2014-07-31 09:35:10 UTC 
Pavel, didn't we fix this bug some time ago?
Comment 3 Pavel Reichl 2014-07-31 11:08:19 UTC 
Jakub,

I believe you mean:

https://bugzilla.redhat.com/show_bug.cgi?id=1092766
Comment 6 Jakub Hrozek 2014-08-14 07:57:55 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2407
Comment 10 Jakub Hrozek 2014-08-26 15:45:25 UTC 
Fixed upstream:

    master:
        99f53d551a1db5d8023b4271eb691d554257624c
        174e9ec6f88d709b6e9481ed06a322c0fc495842
        21f2821a4420291c8eb3ee9d427e9e1b0a1d9989 
    sssd-1-11:
        414f520ee793cdee5973eeab35a09a70081f95bd
        6656b818d1b4400052aee33ab50385abbe1b1a6a
        97e5ea0490f05107c5d4d1773841b4a533b737f2
Comment 12 Kaushik Banerjee 2014-08-28 09:00:19 UTC 
Verified in version sssd-1.11.6-28.el6

Output from beaker run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ad_forest_simple_006: simple_allow_groups=DOMAIN\group
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'su_success user1_dom1 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Command 'su_success user1_dom2 Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Command 'su_success user1_dom3.com Secret123' (Expected 0, got 0)
:: [   PASS   ] :: Command 'su_permission_denied user2_dom1 Secret123' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 14s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: ad_forest_simple_006: simple_allow_groups=DOMAIN\group
Comment 13 errata-xmlrpc 2014-10-14 04:49:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html