RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1263735 - Could not resolve AD user from root domain
Summary: Could not resolve AD user from root domain
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-09-16 14:42 UTC by Jakub Hrozek
Modified: 2020-05-02 18:07 UTC (History)
11 users (show)

Fixed In Version: sssd-1.13.0-32.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-19 11:40:36 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3764 0 None closed Could not resolve AD user from root domain 2021-02-16 10:35:59 UTC
Red Hat Product Errata RHSA-2015:2355 0 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2015-11-19 10:27:42 UTC

Description Jakub Hrozek 2015-09-16 14:42:20 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2723

There are more administrator users: id ''administrator @child1.sssdad.com'' and id ''administrator @sssdad.com''.

sssd is joined to the child domain.
{{{
[sssd]
config_file_version = 2
services = nss, pam
domains = child1.sssdad.com

[nss]
default_shell = /bin/bash

[domain/child1.sssdad.com]
debug_level = 0xFFF0
id_provider = ad
ad_domain = child1.sssdad.com
cache_credentials = True
krb5_store_password_if_offline = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
}}}


but user from root domain ''administrator @sssdad.com'' cannot be resolved.
It might be cause by fact that user is stored in different domain
{{{
[root@ibm-x3650-03 sssd]# ldbsearch -H /var/lib/sss/db/cache_child1.sssdad.com.ldb "(name=Administrator)"
ldb: unable to dlopen /usr/lib64/ldb/modules/ldb/memberof.la : /usr/lib64/ldb/modules/ldb/memberof.la: invalid ELF header
asq: Unable to register control with rootdse!
# record 1
dn: name=Administrator,cn=users,cn=child1.sssdad.com,cn=sysdb
createTimestamp: 1437407347
fullName: Administrator
gecos: Administrator
gidNumber: 369600513
name: Administrator
objectClass: user
uidNumber: 369600500
objectSIDString: S-1-5-21-4212360905-986714573-1256250948-500
uniqueID: 16c36a5f-e2ec-49cd-a2ab-742b03d3adde
originalDN: CN=Administrator,CN=Users,DC=child1,DC=sssdad,DC=com
originalMemberOf: CN=Group Policy Creator Owners,CN=Users,DC=child1,DC=sssdad,
 DC=com
originalMemberOf: CN=Domain Admins,CN=Users,DC=child1,DC=sssdad,DC=com
originalMemberOf: CN=Administrators,CN=Builtin,DC=child1,DC=sssdad,DC=com
originalModifyTimestamp: 20150718152922.0Z
entryUSN: 768294
adUserAccountControl: 66048
nameAlias: administrator
lastUpdate: 1437407347
dataExpireTimestamp: 1437412747
distinguishedName: name=Administrator,cn=users,cn=child1.sssdad.com,cn=sysdb

# returned 1 records
# 1 entries
# 0 referrals
}}}
Comment 2 Jakub Hrozek 2015-09-22 11:49:41 UTC 
master:
    fb83de0699b16e7d8eca803305e2112795807b4c
    cf66c53e46fad46f47489f43265c58004e0e39d4
    cffe3defa3cb5011efc92a7773fe113a1e69774f
    67625b1b4f856510bf4e169649b3fb30c2c14152
Comment 4 Amith 2015-10-13 15:49:03 UTC 
Verified the bug on SSSD Version: sssd-1.13.0-39.el7.x86_64

Steps followed during verification:

1. Add sssd client to child AD domain, lets say child.sssdad.com with parent as sssdad.com

2. Run getent on both the administrators, ie root domain and child domain.

3. With the latest build, root domain administrator should be resolved.

# getent passwd -s sss administrator
administrator:*:1239000500:1239000500:Administrator:/home/administrator:/bin/bash

# getent passwd -s sss administrator.com
administrator.com:*:369600500:369600513:Administrator:/home/administrator.com:/bin/bash
Comment 5 errata-xmlrpc 2015-11-19 11:40:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html
Note You need to log in before you can comment on or make changes to this bug.