Hide Forgot
Description of problem: No supplementary groups are resolved for nested users when the [domain] stanza in sssd.conf differs from the AD domain, i.e. [default]. Quote from an email thread with Jakub. "It's a bit bizzare, because the bug only happens when the [domain] stanza in sssd.conf is named differently than the AD domain... Then, we look up a user in Global Catalog, which returns two entries because the domains (and thus the search bases) are nested under one another. So we proceed to mapping the DN to SSSD domain, but fail, because the name of the SSSD domain is totally different from the DN.. I /thought/ we also tried to match against DN derived from the search base as a fallback, but apparently not." Test Suite: ad parameters Test Case: account_password_policy_003:User account disabled NOTE: The test is failing because of this bug, but this test case is NOT actually testing this bug. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Run ad_parameters suite Actual results: :: [ PASS ] :: Expected: login failure for testuser01-1511559 with password (Expected 255, got 255) :: [ FAIL ] :: File '/var/log/secure' should contain 'User account has expired' :: [ BEGIN ] :: Expected: login failure for testuser01-1511559 with ssh key :: actually running 'ssh_user_key_login testuser01-1511559' spawn ssh -o StrictHostKeyChecking=no -o GSSAPIAuthentication=no -o PasswordAuthentication=no -l testuser01-1511559 localhost Connection closed by ::1 Expected results: :: [ PASS ] :: Expected: login failure for testuser01-1511559 with password (Expected 255, got 255) :: [ PASS ] :: File '/var/log/secure' should contain 'User account has expired' :: [ BEGIN ] :: Expected: login failure for testuser01-1511559 with ssh key :: actually running 'ssh_user_key_login testuser01-1511559' spawn ssh -o StrictHostKeyChecking=no -o GSSAPIAuthentication=no -o PasswordAuthentication=no -l testuser01-1511559 localhost Connection closed by ::1 Additional info: According to Jakub, this is a side effect of fixing the following https://bugzilla.redhat.com/show_bug.cgi?id=1293168
Upstream ticket: https://fedorahosted.org/sssd/ticket/3199
Sorry, I was looking at the wrong test suite when filling this BZ out. The test suite is NOT ad_parameters but ad_idmap. Test suite: ad_idmap Test case: idmap_014: bz874616 Silence DEBUG messages when dealing with built-in SIDs Actual results: :: [ BEGIN ] :: Running 'id Administrator' uid=498200500(administrator) gid=498200513(domain users) groups=498200513(domain users) :: [ PASS ] :: Command 'id Administrator' (Expected 0, got 0) :: [ FAIL ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Object SID \[S-1-5-32-545\] is a built-in one' :: [ FAIL ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Object SID \[S-1-5-32-544\] is a built-in one' :: [ FAIL ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Skipping built-in object' :: [ PASS ] :: File '/var/log/sssd/sssd_ADTEST.log' should not contain 'Could not parse domain SID' :: [ PASS ] :: File '/var/log/sssd/sssd_ADTEST.log' should not contain 'Could not convert SID to GID' '6516d9b4-4521-437d-8f69-dbc6f62cfb01' Expected results: :: [ BEGIN ] :: Running 'id Administrator' uid=498200500(administrator) gid=498200513(domain users) groups=498200513(domain users) :: [ PASS ] :: Command 'id Administrator' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Object SID \[S-1-5-32-545\] is a built-in one' :: [ PASS ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Object SID \[S-1-5-32-544\] is a built-in one' :: [ PASS ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Skipping built-in object' :: [ PASS ] :: File '/var/log/sssd/sssd_ADTEST.log' should not contain 'Could not parse domain SID' :: [ PASS ] :: File '/var/log/sssd/sssd_ADTEST.log' should not contain 'Could not convert SID to GID' '6516d9b4-4521-437d-8f69-dbc6f62cfb01'
master: * e5a984093ad7921c83da75272cede2b0e52ba2d6 * 24d8c85fae253f988165c112af208198cf48eef6 sssd-1-14: * 956fdd727f8d7a28f1456146b3b7dfee49f38626 * 3f3dc8c737a8e8cfc4a29d7dbaf526ec3973c7a0
This bug needs approval for zstream, either PMApproved (from snagar) or GSSApproved from your subsystem CEE contact.
Verified against sssd-1.15.2-33.el7.x86_64 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: idmap_014: bz874616 Silence DEBUG messages when dealing with built-in SIDs :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Command 'id Administrator' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Object SID \[S-1-5-32-545\] is a built-in one' :: [ PASS ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Object SID \[S-1-5-32-544\] is a built-in one' :: [ PASS ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Skipping built-in object' :: [ PASS ] :: File '/var/log/sssd/sssd_ADTEST.log' should not contain 'Could not parse domain SID' :: [ PASS ] :: File '/var/log/sssd/sssd_ADTEST.log' should not contain 'Could not convert SID to GID' :: [ LOG ] :: Duration: 12s :: [ LOG ] :: Assertions: 6 good, 0 bad :: [ PASS ] :: RESULT: idmap_014: bz874616 Silence DEBUG messages when dealing with built-in SIDs
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2294