Bug 1263262 - Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el7_1.6.x86_64 client in combination with ipa-server-3.0.0-42.el6.x86_64 with AD Trust
Unable to resolve group memberships for AD users when using sssd-1.12.2-58.el...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.7
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
: ZStream
Depends On: 1219285
Blocks: 1272422 1219844 1280207
  Show dependency treegraph
 
Reported: 2015-09-15 09:06 EDT by Sumit Bose
Modified: 2016-05-10 20:08 EDT (History)
16 users (show)

See Also:
Fixed In Version: ipa-3.0.0-48.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1219285
: 1280207 (view as bug list)
Environment:
Last Closed: 2016-05-10 20:08:12 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 1 Sumit Bose 2015-09-15 09:10:46 EDT
Newer SSSD versions use a request of the IPA extdom plugin which has known issues in IPA-3.0 which are already fixed upstream (https://fedorahosted.org/freeipa/ticket/3596)

The three patches from the upstream ticket are needed to allow SSSD 1.12 and above to properly resolve groups from the trusted AD domain with a RHEL-6 IPA server.
Comment 3 Martin Kosek 2015-09-17 09:23:54 EDT
Moving to POST, upstream has the fix already.
Comment 8 Sudhir Menon 2016-02-23 10:54:19 EST
Verified using RHEL6.8 IPA server and client

ipa-client-3.0.0-50.el6.x86_64
ipa-server-3.0.0-50.el6.x86_64

root@r68server ~]# ipa group-add-member ad_nix-users_external --external "nix-users@pne.qe"
[member user]:
[member group]:
  Group name: ad_nix-users_external
  Description: AD nix users external map
  External member: S-1-5-21-2828791737-1866347024-3967946728-1616
-------------------------
Number of members added 1
-------------------------
 
[root@r68server ~]# ipa group-add-member nix-users --groups ad_nix-users_external
  Group name: nix-users
  Description: AD nix-users
  GID: 953200004
  Member groups: ad_nix-users_external
-------------------------
Number of members added 1
-------------------------
 
[root@r68server ~]# ipa group-show ad_nix-users_external
  Group name: ad_nix-users_external
  Description: AD nix users external map
  Member of groups: nix-users
  External member: S-1-5-21-2828791737-1866347024-3967946728-1616
 
[root@r68server ~]# ipa group-show nix-users
  Group name: nix-users
  Description: AD nix-users
  GID: 953200004
  Member groups: ad_nix-users_external
 
[root@r68server ~]# ssh -l hjensas@pne.qe r683.dom226.in
hjensas@pne.qe@r683.dom226.in's password:
Could not chdir to home directory /home/pne.qe/hjensas: No such file or directory
-sh-4.1$ id
uid=11614(hjensas@pne.qe) gid=11614(hjensas@pne.qe) groups=11614(hjensas@pne.qe),10513(domain users@pne.qe),11616(nix-users@pne.qe),953200004(nix-users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Comment 10 errata-xmlrpc 2016-05-10 20:08:12 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0874.html

Note You need to log in before you can comment on or make changes to this bug.