Bug 1248366 - Unable to resolve User IDs from trusted Domain
Unable to resolve User IDs from trusted Domain
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
Unspecified Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: SSSD Maintainers
Kaushik Banerjee
Depends On:
  Show dependency treegraph
Reported: 2015-07-30 03:49 EDT by Paul
Modified: 2015-08-05 08:21 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-08-05 08:21:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
SSSD Logfiles (102.26 KB, text/plain)
2015-07-30 03:49 EDT, Paul
no flags Details

  None (edit)
Description Paul 2015-07-30 03:49:00 EDT
Created attachment 1057549 [details]
SSSD Logfiles

Dear Sir or Madam,

my college configured an external trust for our existing Active Directory. We have joined our Linux Server using realmd and aren't able resolving any user IDs from the new trusted domain using sssd. I am in fact able to get a Kerberos Ticket with credentials of the trusted domain. Is this a known issue? Please let me know if I am able to provide any futher information. Logfiles are attached to this report.

System requirements:
-  centos7/rhel7 with sssd 1.12.2-58 joined to active directory domain 'content.zone'. 'content.zone' in turn trusts (one-way, external) the domain 'oew.de'.

- 'id user@oew.de' gives the error message ' GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)]'
- resolving user@content.zone works without a hitch.

Error Message:
(Thu Jul 30 09:07:28 2015) [sssd[be[content.zone]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)]

How to reproduce:
sudo realm join --user="administrator" --computer-ou=OU=Computers,OU=CAP,DC=content,DC=zone content.zone
sudo systemctl stop sssd; sudo rm -rf /var/lib/sss/db/*; sudo systemctl start sssd
id administrator@oew.de

Paul Becker
Comment 3 Paul 2015-07-30 07:27:21 EDT
We have reconfigured the trust from a one-directional external trust to a bi-directional external trust. With this we get the IDs withouth any problems. As an alternative we have tried joining our server with pbis/likewise-open and didn't need an bi-directional trust. Would you mind explaining why SSSD needs a trust in the different direction?
Comment 4 Jakub Hrozek 2015-08-05 08:21:15 EDT
I'm glad it works now. Some details were cleared up on the sssd-devel list.

One-way trust is a feature of RHEL-7.2

Note You need to log in before you can comment on or make changes to this bug.