Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/2723 There are more administrator users: id ''administrator @child1.sssdad.com'' and id ''administrator @sssdad.com''. sssd is joined to the child domain. {{{ [sssd] config_file_version = 2 services = nss, pam domains = child1.sssdad.com [nss] default_shell = /bin/bash [domain/child1.sssdad.com] debug_level = 0xFFF0 id_provider = ad ad_domain = child1.sssdad.com cache_credentials = True krb5_store_password_if_offline = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u }}} but user from root domain ''administrator @sssdad.com'' cannot be resolved. It might be cause by fact that user is stored in different domain {{{ [root@ibm-x3650-03 sssd]# ldbsearch -H /var/lib/sss/db/cache_child1.sssdad.com.ldb "(name=Administrator)" ldb: unable to dlopen /usr/lib64/ldb/modules/ldb/memberof.la : /usr/lib64/ldb/modules/ldb/memberof.la: invalid ELF header asq: Unable to register control with rootdse! # record 1 dn: name=Administrator,cn=users,cn=child1.sssdad.com,cn=sysdb createTimestamp: 1437407347 fullName: Administrator gecos: Administrator gidNumber: 369600513 name: Administrator objectClass: user uidNumber: 369600500 objectSIDString: S-1-5-21-4212360905-986714573-1256250948-500 uniqueID: 16c36a5f-e2ec-49cd-a2ab-742b03d3adde originalDN: CN=Administrator,CN=Users,DC=child1,DC=sssdad,DC=com originalMemberOf: CN=Group Policy Creator Owners,CN=Users,DC=child1,DC=sssdad, DC=com originalMemberOf: CN=Domain Admins,CN=Users,DC=child1,DC=sssdad,DC=com originalMemberOf: CN=Administrators,CN=Builtin,DC=child1,DC=sssdad,DC=com originalModifyTimestamp: 20150718152922.0Z entryUSN: 768294 adUserAccountControl: 66048 nameAlias: administrator lastUpdate: 1437407347 dataExpireTimestamp: 1437412747 distinguishedName: name=Administrator,cn=users,cn=child1.sssdad.com,cn=sysdb # returned 1 records # 1 entries # 0 referrals }}}
master: fb83de0699b16e7d8eca803305e2112795807b4c cf66c53e46fad46f47489f43265c58004e0e39d4 cffe3defa3cb5011efc92a7773fe113a1e69774f 67625b1b4f856510bf4e169649b3fb30c2c14152
Verified the bug on SSSD Version: sssd-1.13.0-39.el7.x86_64 Steps followed during verification: 1. Add sssd client to child AD domain, lets say child.sssdad.com with parent as sssdad.com 2. Run getent on both the administrators, ie root domain and child domain. 3. With the latest build, root domain administrator should be resolved. # getent passwd -s sss administrator@sssdad.com administrator@sssdad.com:*:1239000500:1239000500:Administrator:/home/administrator@sssdad.com:/bin/bash # getent passwd -s sss administrator@child1.sssdad.com administrator@child1.sssdad.com:*:369600500:369600513:Administrator:/home/administrator@child1.sssdad.com:/bin/bash
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2355.html