Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust
Cause: IPA clients that are views-enabled were unconditionally looking for a views-related attribute
Consequence: AD user's group membership was failing as the lookup request failed after not being able to dereference the view name
Fix: If LDAP_UNAVAILABLE_CRITICAL_EXTENSION(12) or LDAP_PROTOCOL_ERROR(2) is returned, those errors are ignored and client assumes the server is not views-aware
Result: AD user's group membership resolution is no longer failing when a RHEL-7 client was enrolled to RHEL-6 server.
Description of problem:
When using RHEL 7.1 client with SSSD (sssd-1.12.2-58.el7_1.6.x86_64) AD group memberships are not resolved.
When using RHEL 6.6 client with SSSD (sssd-1.11.6-30.el6_6.4.x86_64) AD group memberships are resolved.
Version-Release number of selected component (if applicable):
Client:
:: Red Hat Enterprise Linux Server release 7.1 (Maipo)
:: sssd-1.12.2-58.el7_1.6.x86_64
Server:
:: Red Hat Enterprise Linux Server release 6.6 (Santiago)
:: ipa-server-3.0.0-42.el6.x86_64
How reproducible:
Every time.
Steps to Reproduce:
1. Install RHEL 6.6 IPA server configured with trust to Windows 2012 R2 Active Directory.
- Users in AD:
hjensas, rhel6user
- Groups in AD:
nix-users
: nix-users group Members: hjensas, rhel6user
2. Groups in IPA
ipa group-add --desc='AD nix users external map' ad_nix-users_external --external
ipa group-add --desc='AD nix-users' nix-users
ipa group-add-member ad_nix-users_external --external "nix-users"
ipa group-add-member nix-users --groups ad_nix-users_external
...
[root@ipa01 ~]# ipa group-show ad_nix-users_external
Group name: ad_nix-users_external
Description: AD nix users external map
Member of groups: nix-users
External member: S-1-5-21-3630949036-529635555-1148799846-1115
[root@ipa01 ~]# ipa group-show nix-users
Group name: nix-users
Description: AD nix-users
GID: 100004
Member groups: ad_nix-users_external
...
3. Install RHEL 7.1 from DVD and attach subscription.
4. On RHEL 7.1 client:
:: subscription-manager repos --disable=*
:: subscription-manager repos --enable=rhel-7-server-rpms
:: yum install ipa-client -y ; yum update -y
:: reboot
:: ipa-client-install
5. On RHEL 7.1 client - Add auth_to_local rules in krb5.conf:
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = NIX.EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
NIX.EXAMPLE.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
auth_to_local = RULE:[1:$1@$0](^.*@EXAMPLE.COM$)s/@EXAMPLE.COM/@example.com/
auth_to_local = RULE:[1:$1@$0](^.*@NIX.EXAMPLE.COM$)s/@NIX.EXAMPLE.COM/@nix.example.com/
auth_to_local = DEFAULT
}
[domain_realm]
.nix.example.com = NIX.EXAMPLE.COM
nix.example.com = NIX.EXAMPLE.COM
6. On RHEL 7.1 client - add PAC service in sssd
[domain/nix.example.com]
debug_level = 9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = nix.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipaclient-rhel7.nix.example.com
chpass_provider = ipa
ipa_server = _srv_, ipa01.nix.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
debug_level = 9
services = nss, sudo, pam, ssh, pac
config_file_version = 2
domains = nix.example.com
default_domain_suffix = example.com
[nss]
debug_level = 9
homedir_substring = /home
[pam]
debug_level = 9
[sudo]
debug_level = 9
[autofs]
debug_level = 9
[ssh]
debug_level = 9
[pac]
debug_level = 9
[ifp]
debug_level = 9
Actual results:
___ RHEL 7.1 client, UNSUCCESSFUL resolving nix-users membership ___
$ ssh hjensas.example.com
hjensas.example.com's password:
Last failed login: Thu May 7 01:38:01 CEST 2015 from 192.168.102.1 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Thu May 7 01:24:47 2015 from 192.168.102.1
Could not chdir to home directory /home/example.com/hjensas: No such file or directory
-sh-4.2$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.1 (Maipo)
-sh-4.2$ id
uid=806601104(hjensas) gid=806601104(hjensas) groups=806601104(hjensas) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
___ RHEL 6.6 client, SUCCESS resolving nix-users membership ___
$ ssh hjensas.example.com
hjensas.example.com's password:
Last login: Thu May 7 01:21:17 2015 from 192.168.102.1
Could not chdir to home directory /home/example.com/hjensas: No such file or directory
-bash-4.1$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.6 (Santiago)
-bash-4.1$ id
uid=806601104(hjensas) gid=806601104(hjensas) groups=806601104(hjensas),100004(nix-users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Expected results:
RHEL 7.1 client should be able to resolve group membership via PAC, like the RHEL 6.6 client can using the same IPA server with AD Trust.
Additional info:
SOS reports from all systems, RHEL 6 IPA server, RHEL 6 IPA client and RHEL 7 IPA client attached.
It is not related to the PAC responder but to the new code which tries to determine if the client has assigned a view. Older versions of 398ds return an error here but it looks there is a different error code used by different releases. In the given case it is '389-Directory/1.2.11.15' and it returns LDAP_PROTOCOL_ERROR. Newer versions (I tested with '389-Directory/1.3.3.8') return LDAP_UNAVAILABLE_CRITICAL_EXTENSION.
The LDAP_UNAVAILABLE_CRITICAL_EXTENSION is already handle correctly by SSSD, support must be added for the LDAP_PROTOCOL_ERROR case.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHSA-2015-2355.html
Description of problem: When using RHEL 7.1 client with SSSD (sssd-1.12.2-58.el7_1.6.x86_64) AD group memberships are not resolved. When using RHEL 6.6 client with SSSD (sssd-1.11.6-30.el6_6.4.x86_64) AD group memberships are resolved. Version-Release number of selected component (if applicable): Client: :: Red Hat Enterprise Linux Server release 7.1 (Maipo) :: sssd-1.12.2-58.el7_1.6.x86_64 Server: :: Red Hat Enterprise Linux Server release 6.6 (Santiago) :: ipa-server-3.0.0-42.el6.x86_64 How reproducible: Every time. Steps to Reproduce: 1. Install RHEL 6.6 IPA server configured with trust to Windows 2012 R2 Active Directory. - Users in AD: hjensas, rhel6user - Groups in AD: nix-users : nix-users group Members: hjensas, rhel6user 2. Groups in IPA ipa group-add --desc='AD nix users external map' ad_nix-users_external --external ipa group-add --desc='AD nix-users' nix-users ipa group-add-member ad_nix-users_external --external "nix-users" ipa group-add-member nix-users --groups ad_nix-users_external ... [root@ipa01 ~]# ipa group-show ad_nix-users_external Group name: ad_nix-users_external Description: AD nix users external map Member of groups: nix-users External member: S-1-5-21-3630949036-529635555-1148799846-1115 [root@ipa01 ~]# ipa group-show nix-users Group name: nix-users Description: AD nix-users GID: 100004 Member groups: ad_nix-users_external ... 3. Install RHEL 7.1 from DVD and attach subscription. 4. On RHEL 7.1 client: :: subscription-manager repos --disable=* :: subscription-manager repos --enable=rhel-7-server-rpms :: yum install ipa-client -y ; yum update -y :: reboot :: ipa-client-install 5. On RHEL 7.1 client - Add auth_to_local rules in krb5.conf: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = NIX.EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] NIX.EXAMPLE.COM = { pkinit_anchors = FILE:/etc/ipa/ca.crt auth_to_local = RULE:[1:$1@$0](^.*@EXAMPLE.COM$)s/@EXAMPLE.COM/@example.com/ auth_to_local = RULE:[1:$1@$0](^.*@NIX.EXAMPLE.COM$)s/@NIX.EXAMPLE.COM/@nix.example.com/ auth_to_local = DEFAULT } [domain_realm] .nix.example.com = NIX.EXAMPLE.COM nix.example.com = NIX.EXAMPLE.COM 6. On RHEL 7.1 client - add PAC service in sssd [domain/nix.example.com] debug_level = 9 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = nix.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipaclient-rhel7.nix.example.com chpass_provider = ipa ipa_server = _srv_, ipa01.nix.example.com ldap_tls_cacert = /etc/ipa/ca.crt [sssd] debug_level = 9 services = nss, sudo, pam, ssh, pac config_file_version = 2 domains = nix.example.com default_domain_suffix = example.com [nss] debug_level = 9 homedir_substring = /home [pam] debug_level = 9 [sudo] debug_level = 9 [autofs] debug_level = 9 [ssh] debug_level = 9 [pac] debug_level = 9 [ifp] debug_level = 9 Actual results: ___ RHEL 7.1 client, UNSUCCESSFUL resolving nix-users membership ___ $ ssh hjensas.example.com hjensas.example.com's password: Last failed login: Thu May 7 01:38:01 CEST 2015 from 192.168.102.1 on ssh:notty There was 1 failed login attempt since the last successful login. Last login: Thu May 7 01:24:47 2015 from 192.168.102.1 Could not chdir to home directory /home/example.com/hjensas: No such file or directory -sh-4.2$ cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.1 (Maipo) -sh-4.2$ id uid=806601104(hjensas) gid=806601104(hjensas) groups=806601104(hjensas) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ___ RHEL 6.6 client, SUCCESS resolving nix-users membership ___ $ ssh hjensas.example.com hjensas.example.com's password: Last login: Thu May 7 01:21:17 2015 from 192.168.102.1 Could not chdir to home directory /home/example.com/hjensas: No such file or directory -bash-4.1$ cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.6 (Santiago) -bash-4.1$ id uid=806601104(hjensas) gid=806601104(hjensas) groups=806601104(hjensas),100004(nix-users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Expected results: RHEL 7.1 client should be able to resolve group membership via PAC, like the RHEL 6.6 client can using the same IPA server with AD Trust. Additional info: SOS reports from all systems, RHEL 6 IPA server, RHEL 6 IPA client and RHEL 7 IPA client attached.