Bug 1378911 - No supplementary groups are resolved for users in nested OUs when domain stanza differs from AD domain
Summary: No supplementary groups are resolved for users in nested OUs when domain stan...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Dan Lavu
URL:
Whiteboard:
Depends On:
Blocks: 1393730
TreeView+ depends on / blocked
 
Reported: 2016-09-23 13:48 UTC by Dan Lavu
Modified: 2020-05-02 18:30 UTC (History)
12 users (show)

Fixed In Version: sssd-1.14.0-46.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1393730 (view as bug list)
Environment:
Last Closed: 2017-08-01 09:00:03 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4232 0 None None None 2020-05-02 18:30:24 UTC
Red Hat Product Errata RHEA-2017:2294 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2017-08-01 12:39:55 UTC

Description Dan Lavu 2016-09-23 13:48:17 UTC
Description of problem:

No supplementary groups are resolved for nested users when the [domain] stanza in sssd.conf differs from the AD domain, i.e. [default].

Quote from an email thread with Jakub. 

"It's a bit bizzare, because the bug only happens when the [domain] stanza in
sssd.conf is named differently than the AD domain... Then, we look up a
user in Global Catalog, which returns two entries because the domains
(and thus the search bases) are nested under one another. So we proceed
to mapping the DN to SSSD domain, but fail, because the name of the SSSD
domain is totally different from the DN.. I /thought/ we also tried to
match against DN derived from the search base as a fallback, but
apparently not."

Test Suite: ad parameters
Test Case: account_password_policy_003:User account disabled

NOTE: The test is failing because of this bug, but this test case is NOT actually testing this bug. 

Version-Release number of selected component (if applicable):

How reproducible:

Always

Steps to Reproduce:
1. Run ad_parameters suite

Actual results:

:: [   PASS   ] :: Expected: login failure for testuser01-1511559 with password (Expected 255, got 255)
:: [   FAIL   ] :: File '/var/log/secure' should contain 'User account has expired' 
:: [  BEGIN   ] :: Expected: login failure for testuser01-1511559 with ssh key :: actually running 'ssh_user_key_login testuser01-1511559'
spawn ssh -o StrictHostKeyChecking=no -o GSSAPIAuthentication=no -o PasswordAuthentication=no -l testuser01-1511559 localhost
Connection closed by ::1

Expected results:

:: [   PASS   ] :: Expected: login failure for testuser01-1511559 with password (Expected 255, got 255)
:: [   PASS   ] :: File '/var/log/secure' should contain 'User account has expired' 
:: [  BEGIN   ] :: Expected: login failure for testuser01-1511559 with ssh key :: actually running 'ssh_user_key_login testuser01-1511559'
spawn ssh -o StrictHostKeyChecking=no -o GSSAPIAuthentication=no -o PasswordAuthentication=no -l testuser01-1511559 localhost
Connection closed by ::1

Additional info:

According to Jakub, this is a side effect of fixing the following https://bugzilla.redhat.com/show_bug.cgi?id=1293168

Comment 1 Jakub Hrozek 2016-09-23 13:53:15 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/3199

Comment 2 Dan Lavu 2016-09-23 13:58:29 UTC
Sorry, I was looking at the wrong test suite when filling this BZ out. The test suite is NOT ad_parameters but ad_idmap.

Test suite: ad_idmap
Test case: idmap_014: bz874616 Silence DEBUG messages when dealing with built-in SIDs

Actual results:

:: [  BEGIN   ] :: Running 'id Administrator'
uid=498200500(administrator) gid=498200513(domain users) groups=498200513(domain users)
:: [   PASS   ] :: Command 'id Administrator' (Expected 0, got 0)
:: [   FAIL   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Object SID \[S-1-5-32-545\] is a built-in one' 
:: [   FAIL   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Object SID \[S-1-5-32-544\] is a built-in one' 
:: [   FAIL   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Skipping built-in object' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should not contain 'Could not parse domain SID' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should not contain 'Could not convert SID to GID' 
'6516d9b4-4521-437d-8f69-dbc6f62cfb01'


Expected results:

:: [  BEGIN   ] :: Running 'id Administrator'
uid=498200500(administrator) gid=498200513(domain users) groups=498200513(domain users)
:: [   PASS   ] :: Command 'id Administrator' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Object SID \[S-1-5-32-545\] is a built-in one' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Object SID \[S-1-5-32-544\] is a built-in one' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Skipping built-in object' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should not contain 'Could not parse domain SID' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should not contain 'Could not convert SID to GID' 
'6516d9b4-4521-437d-8f69-dbc6f62cfb01'

Comment 6 Jakub Hrozek 2016-11-03 10:24:19 UTC
master:
 * e5a984093ad7921c83da75272cede2b0e52ba2d6
 * 24d8c85fae253f988165c112af208198cf48eef6
sssd-1-14:
 * 956fdd727f8d7a28f1456146b3b7dfee49f38626
 * 3f3dc8c737a8e8cfc4a29d7dbaf526ec3973c7a0

Comment 9 Tom Lavigne 2016-11-07 16:26:51 UTC
This bug needs approval for zstream, either PMApproved (from snagar) or GSSApproved from your subsystem CEE contact.

Comment 18 Dan Lavu 2017-06-01 11:40:07 UTC
Verified against sssd-1.15.2-33.el7.x86_64


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: idmap_014: bz874616 Silence DEBUG messages when dealing with built-in SIDs
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'id Administrator' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Object SID \[S-1-5-32-545\] is a built-in one' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Object SID \[S-1-5-32-544\] is a built-in one' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Skipping built-in object' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should not contain 'Could not parse domain SID' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should not contain 'Could not convert SID to GID' 
:: [   LOG    ] :: Duration: 12s
:: [   LOG    ] :: Assertions: 6 good, 0 bad
:: [   PASS   ] :: RESULT: idmap_014: bz874616 Silence DEBUG messages when dealing with built-in SIDs

Comment 19 errata-xmlrpc 2017-08-01 09:00:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294


Note You need to log in before you can comment on or make changes to this bug.