Bug 1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust
Summary: Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.1
Hardware: Unspecified
OS: Linux
medium
high
Target Milestone: rc
: ---
Assignee: Sumit Bose
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 1219844 1263262
TreeView+ depends on / blocked
 
Reported: 2015-05-06 23:50 UTC by Harald Jensås
Modified: 2020-05-02 18:04 UTC (History)
11 users (show)

Fixed In Version: sssd-1.13.0-0.1.alpha.el7
Doc Type: Bug Fix
Doc Text:
Cause: IPA clients that are views-enabled were unconditionally looking for a views-related attribute Consequence: AD user's group membership was failing as the lookup request failed after not being able to dereference the view name Fix: If LDAP_UNAVAILABLE_CRITICAL_EXTENSION(12) or LDAP_PROTOCOL_ERROR(2) is returned, those errors are ignored and client assumes the server is not views-aware Result: AD user's group membership resolution is no longer failing when a RHEL-7 client was enrolled to RHEL-6 server.
Clone Of:
: 1219844 1263262 (view as bug list)
Environment:
Last Closed: 2015-11-19 11:38:45 UTC
Target Upstream Version:


Attachments (Terms of Use)
SOS Report for RHEL 7.1 IPA Client. SSSD debug level 9 enabled. (5.35 MB, application/x-xz)
2015-05-06 23:59 UTC, Harald Jensås
no flags Details
SOS Report for RHEL 6.6 IPA Server, winbind with debug level 100. (6.79 MB, application/x-xz)
2015-05-07 00:01 UTC, Harald Jensås
no flags Details
SOS Report for RHEL 6.6 IPA Client. For client configuration reference. This client works as expected. (6.08 MB, application/x-xz)
2015-05-07 00:03 UTC, Harald Jensås
no flags Details


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 3691 None None None 2020-05-02 18:04:17 UTC
Red Hat Product Errata RHSA-2015:2355 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2015-11-19 10:27:42 UTC

Description Harald Jensås 2015-05-06 23:50:47 UTC
Description of problem:
When using RHEL 7.1 client with SSSD (sssd-1.12.2-58.el7_1.6.x86_64) AD group memberships are not resolved.

When using RHEL 6.6 client with SSSD (sssd-1.11.6-30.el6_6.4.x86_64) AD group memberships are resolved.









Version-Release number of selected component (if applicable):
Client:
 :: Red Hat Enterprise Linux Server release 7.1 (Maipo)
  :: sssd-1.12.2-58.el7_1.6.x86_64

Server:
 :: Red Hat Enterprise Linux Server release 6.6 (Santiago)
  :: ipa-server-3.0.0-42.el6.x86_64

How reproducible:
Every time.

Steps to Reproduce:
1. Install RHEL 6.6 IPA server configured with trust to Windows 2012 R2 Active Directory.
 - Users in AD:
     hjensas, rhel6user
 - Groups in AD:
     nix-users
   : nix-users group Members: hjensas, rhel6user
2. Groups in IPA
   ipa group-add --desc='AD nix users external map' ad_nix-users_external --external
   ipa group-add --desc='AD nix-users' nix-users
   ipa group-add-member ad_nix-users_external --external "nix-users@example.com"
   ipa group-add-member nix-users --groups ad_nix-users_external
...
[root@ipa01 ~]# ipa group-show ad_nix-users_external
  Group name: ad_nix-users_external
  Description: AD nix users external map
  Member of groups: nix-users
  External member: S-1-5-21-3630949036-529635555-1148799846-1115
[root@ipa01 ~]# ipa group-show nix-users
  Group name: nix-users
  Description: AD nix-users
  GID: 100004
  Member groups: ad_nix-users_external
...
3. Install RHEL 7.1 from DVD and attach subscription.
4. On RHEL 7.1 client:
 :: subscription-manager repos --disable=*
 :: subscription-manager repos --enable=rhel-7-server-rpms
 :: yum install ipa-client -y ; yum update -y
 :: reboot
 :: ipa-client-install

5. On RHEL 7.1 client - Add auth_to_local rules in krb5.conf:
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = NIX.EXAMPLE.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}

[realms]
  NIX.EXAMPLE.COM = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
    auth_to_local = RULE:[1:$1@$0](^.*@EXAMPLE.COM$)s/@EXAMPLE.COM/@example.com/
    auth_to_local = RULE:[1:$1@$0](^.*@NIX.EXAMPLE.COM$)s/@NIX.EXAMPLE.COM/@nix.example.com/
    auth_to_local = DEFAULT
  }

[domain_realm]
  .nix.example.com = NIX.EXAMPLE.COM
  nix.example.com = NIX.EXAMPLE.COM

6. On RHEL 7.1 client - add PAC service in sssd
[domain/nix.example.com]
debug_level = 9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = nix.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipaclient-rhel7.nix.example.com
chpass_provider = ipa
ipa_server = _srv_, ipa01.nix.example.com
ldap_tls_cacert = /etc/ipa/ca.crt

[sssd]
debug_level = 9
services = nss, sudo, pam, ssh, pac
config_file_version = 2
domains = nix.example.com
default_domain_suffix = example.com

[nss]
debug_level = 9
homedir_substring = /home

[pam]
debug_level = 9

[sudo]
debug_level = 9

[autofs]
debug_level = 9

[ssh]
debug_level = 9

[pac]
debug_level = 9

[ifp]
debug_level = 9



Actual results:
___ RHEL 7.1 client, UNSUCCESSFUL resolving nix-users membership ___
$ ssh hjensas@ipaclient-rhel7.nix.example.com
hjensas@ipaclient-rhel7.nix.example.com's password: 
Last failed login: Thu May  7 01:38:01 CEST 2015 from 192.168.102.1 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Thu May  7 01:24:47 2015 from 192.168.102.1
Could not chdir to home directory /home/example.com/hjensas: No such file or directory
-sh-4.2$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.1 (Maipo)
-sh-4.2$ id
uid=806601104(hjensas@example.com) gid=806601104(hjensas@example.com) groups=806601104(hjensas@example.com) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

___ RHEL 6.6 client, SUCCESS resolving nix-users membership ___
$ ssh hjensas@idmclient01.nix.example.com
hjensas@idmclient01.nix.example.com's password: 
Last login: Thu May  7 01:21:17 2015 from 192.168.102.1
Could not chdir to home directory /home/example.com/hjensas: No such file or directory
-bash-4.1$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.6 (Santiago)
-bash-4.1$ id
uid=806601104(hjensas@example.com) gid=806601104(hjensas@example.com) groups=806601104(hjensas@example.com),100004(nix-users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Expected results:
RHEL 7.1 client should be able to resolve group membership via PAC, like the RHEL 6.6 client can using the same IPA server with AD Trust.

Additional info:
SOS reports from all systems, RHEL 6 IPA server, RHEL 6 IPA client and RHEL 7 IPA client attached.

Comment 1 Harald Jensås 2015-05-06 23:59:02 UTC
Created attachment 1022840 [details]
SOS Report for RHEL 7.1 IPA Client. SSSD debug level 9 enabled.

Comment 2 Harald Jensås 2015-05-07 00:01:27 UTC
Created attachment 1022841 [details]
SOS Report for RHEL 6.6 IPA Server, winbind with debug level 100.

Comment 3 Harald Jensås 2015-05-07 00:03:03 UTC
Created attachment 1022843 [details]
SOS Report for RHEL 6.6 IPA Client. For client configuration reference. This client works as expected.

Comment 5 Sumit Bose 2015-05-07 08:55:32 UTC
I think a change in the pac responder caused this. I will prepare a test build.

Comment 6 Sumit Bose 2015-05-07 12:04:53 UTC
It is not related to the PAC responder but to the new code which tries to determine if the client has assigned a view. Older versions of 398ds return an error here but it looks there is a different error code used by different releases. In the given case it is '389-Directory/1.2.11.15' and it returns LDAP_PROTOCOL_ERROR. Newer versions (I tested with '389-Directory/1.3.3.8') return LDAP_UNAVAILABLE_CRITICAL_EXTENSION.

The LDAP_UNAVAILABLE_CRITICAL_EXTENSION is already handle correctly by SSSD, support must be added for the LDAP_PROTOCOL_ERROR case.

Comment 7 Jakub Hrozek 2015-05-10 19:23:42 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2650

Comment 8 Jakub Hrozek 2015-05-12 09:21:29 UTC
Fixed upstream:
    master: a50b229c8ea1e22c9efa677760b94d8c48c3ec89
    sssd-1-12: 0f85298a31beb53375635b82cb274d29eae45774

Comment 12 Jakub Hrozek 2015-09-18 08:33:59 UTC
Sudhir, since this turned out to be an IPA issue, can you please move this bugzilla to VERIFIED and remove the FailedQA keyword?

Comment 13 Sudhir Menon 2015-09-18 08:37:56 UTC
Moving this bug to VERIFIED. Cloned Bug #1263262

Comment 14 errata-xmlrpc 2015-11-19 11:38:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html


Note You need to log in before you can comment on or make changes to this bug.