Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1219285 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust
Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.1
Unspecified Linux
medium Severity high
: rc
: ---
Assigned To: Sumit Bose
Kaushik Banerjee
:
Depends On:
Blocks: 1219844 1263262
  Show dependency treegraph
 
Reported: 2015-05-06 19:50 EDT by Harald Jensås
Modified: 2015-11-19 06:38 EST (History)
11 users (show)

See Also:
Fixed In Version: sssd-1.13.0-0.1.alpha.el7
Doc Type: Bug Fix
Doc Text:
Cause: IPA clients that are views-enabled were unconditionally looking for a views-related attribute Consequence: AD user's group membership was failing as the lookup request failed after not being able to dereference the view name Fix: If LDAP_UNAVAILABLE_CRITICAL_EXTENSION(12) or LDAP_PROTOCOL_ERROR(2) is returned, those errors are ignored and client assumes the server is not views-aware Result: AD user's group membership resolution is no longer failing when a RHEL-7 client was enrolled to RHEL-6 server.
Story Points: ---
Clone Of:
: 1219844 1263262 (view as bug list)
Environment:
Last Closed: 2015-11-19 06:38:45 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
SOS Report for RHEL 7.1 IPA Client. SSSD debug level 9 enabled. (5.35 MB, application/x-xz)
2015-05-06 19:59 EDT, Harald Jensås 		no flags Details
SOS Report for RHEL 6.6 IPA Server, winbind with debug level 100. (6.79 MB, application/x-xz)
2015-05-06 20:01 EDT, Harald Jensås 		no flags Details
SOS Report for RHEL 6.6 IPA Client. For client configuration reference. This client works as expected. (6.08 MB, application/x-xz)
2015-05-06 20:03 EDT, Harald Jensås 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2355 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2015-11-19 05:27:42 EST

  None (edit)
Description Harald Jensås 2015-05-06 19:50:47 EDT 
Description of problem:
When using RHEL 7.1 client with SSSD (sssd-1.12.2-58.el7_1.6.x86_64) AD group memberships are not resolved.

When using RHEL 6.6 client with SSSD (sssd-1.11.6-30.el6_6.4.x86_64) AD group memberships are resolved.









Version-Release number of selected component (if applicable):
Client:
 :: Red Hat Enterprise Linux Server release 7.1 (Maipo)
  :: sssd-1.12.2-58.el7_1.6.x86_64

Server:
 :: Red Hat Enterprise Linux Server release 6.6 (Santiago)
  :: ipa-server-3.0.0-42.el6.x86_64

How reproducible:
Every time.

Steps to Reproduce:
1. Install RHEL 6.6 IPA server configured with trust to Windows 2012 R2 Active Directory.
 - Users in AD:
     hjensas, rhel6user
 - Groups in AD:
     nix-users
   : nix-users group Members: hjensas, rhel6user
2. Groups in IPA
   ipa group-add --desc='AD nix users external map' ad_nix-users_external --external
   ipa group-add --desc='AD nix-users' nix-users
   ipa group-add-member ad_nix-users_external --external "nix-users@example.com"
   ipa group-add-member nix-users --groups ad_nix-users_external
...
[root@ipa01 ~]# ipa group-show ad_nix-users_external
  Group name: ad_nix-users_external
  Description: AD nix users external map
  Member of groups: nix-users
  External member: S-1-5-21-3630949036-529635555-1148799846-1115
[root@ipa01 ~]# ipa group-show nix-users
  Group name: nix-users
  Description: AD nix-users
  GID: 100004
  Member groups: ad_nix-users_external
...
3. Install RHEL 7.1 from DVD and attach subscription.
4. On RHEL 7.1 client:
 :: subscription-manager repos --disable=*
 :: subscription-manager repos --enable=rhel-7-server-rpms
 :: yum install ipa-client -y ; yum update -y
 :: reboot
 :: ipa-client-install

5. On RHEL 7.1 client - Add auth_to_local rules in krb5.conf:
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = NIX.EXAMPLE.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}

[realms]
  NIX.EXAMPLE.COM = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
    auth_to_local = RULE:[1:$1@$0](^.*@EXAMPLE.COM$)s/@EXAMPLE.COM/@example.com/
    auth_to_local = RULE:[1:$1@$0](^.*@NIX.EXAMPLE.COM$)s/@NIX.EXAMPLE.COM/@nix.example.com/
    auth_to_local = DEFAULT
  }

[domain_realm]
  .nix.example.com = NIX.EXAMPLE.COM
  nix.example.com = NIX.EXAMPLE.COM

6. On RHEL 7.1 client - add PAC service in sssd
[domain/nix.example.com]
debug_level = 9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = nix.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipaclient-rhel7.nix.example.com
chpass_provider = ipa
ipa_server = _srv_, ipa01.nix.example.com
ldap_tls_cacert = /etc/ipa/ca.crt

[sssd]
debug_level = 9
services = nss, sudo, pam, ssh, pac
config_file_version = 2
domains = nix.example.com
default_domain_suffix = example.com

[nss]
debug_level = 9
homedir_substring = /home

[pam]
debug_level = 9

[sudo]
debug_level = 9

[autofs]
debug_level = 9

[ssh]
debug_level = 9

[pac]
debug_level = 9

[ifp]
debug_level = 9



Actual results:
___ RHEL 7.1 client, UNSUCCESSFUL resolving nix-users membership ___
$ ssh hjensas@ipaclient-rhel7.nix.example.com
hjensas@ipaclient-rhel7.nix.example.com's password: 
Last failed login: Thu May  7 01:38:01 CEST 2015 from 192.168.102.1 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Thu May  7 01:24:47 2015 from 192.168.102.1
Could not chdir to home directory /home/example.com/hjensas: No such file or directory
-sh-4.2$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.1 (Maipo)
-sh-4.2$ id
uid=806601104(hjensas@example.com) gid=806601104(hjensas@example.com) groups=806601104(hjensas@example.com) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

___ RHEL 6.6 client, SUCCESS resolving nix-users membership ___
$ ssh hjensas@idmclient01.nix.example.com
hjensas@idmclient01.nix.example.com's password: 
Last login: Thu May  7 01:21:17 2015 from 192.168.102.1
Could not chdir to home directory /home/example.com/hjensas: No such file or directory
-bash-4.1$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.6 (Santiago)
-bash-4.1$ id
uid=806601104(hjensas@example.com) gid=806601104(hjensas@example.com) groups=806601104(hjensas@example.com),100004(nix-users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Expected results:
RHEL 7.1 client should be able to resolve group membership via PAC, like the RHEL 6.6 client can using the same IPA server with AD Trust.

Additional info:
SOS reports from all systems, RHEL 6 IPA server, RHEL 6 IPA client and RHEL 7 IPA client attached.
Comment 1 Harald Jensås 2015-05-06 19:59:02 EDT 
Created attachment 1022840 [details]
SOS Report for RHEL 7.1 IPA Client. SSSD debug level 9 enabled.
Comment 2 Harald Jensås 2015-05-06 20:01:27 EDT 
Created attachment 1022841 [details]
SOS Report for RHEL 6.6 IPA Server, winbind with debug level 100.
Comment 3 Harald Jensås 2015-05-06 20:03:03 EDT 
Created attachment 1022843 [details]
SOS Report for RHEL 6.6 IPA Client. For client configuration reference. This client works as expected.
Comment 5 Sumit Bose 2015-05-07 04:55:32 EDT 
I think a change in the pac responder caused this. I will prepare a test build.
Comment 6 Sumit Bose 2015-05-07 08:04:53 EDT 
It is not related to the PAC responder but to the new code which tries to determine if the client has assigned a view. Older versions of 398ds return an error here but it looks there is a different error code used by different releases. In the given case it is '389-Directory/1.2.11.15' and it returns LDAP_PROTOCOL_ERROR. Newer versions (I tested with '389-Directory/1.3.3.8') return LDAP_UNAVAILABLE_CRITICAL_EXTENSION.

The LDAP_UNAVAILABLE_CRITICAL_EXTENSION is already handle correctly by SSSD, support must be added for the LDAP_PROTOCOL_ERROR case.
Comment 7 Jakub Hrozek 2015-05-10 15:23:42 EDT 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2650
Comment 8 Jakub Hrozek 2015-05-12 05:21:29 EDT 
Fixed upstream:
    master: a50b229c8ea1e22c9efa677760b94d8c48c3ec89
    sssd-1-12: 0f85298a31beb53375635b82cb274d29eae45774
Comment 12 Jakub Hrozek 2015-09-18 04:33:59 EDT 
Sudhir, since this turned out to be an IPA issue, can you please move this bugzilla to VERIFIED and remove the FailedQA keyword?
Comment 13 Sudhir Menon 2015-09-18 04:37:56 EDT 
Moving this bug to VERIFIED. Cloned Bug #1263262
Comment 14 errata-xmlrpc 2015-11-19 06:38:45 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.