Bug 1436987 – ipasam: gidNumber attribute is not created in the trusted domain entry

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1436987 - ipasam: gidNumber attribute is not created in the trusted domain entry

Summary:	ipasam: gidNumber attribute is not created in the trusted domain entry

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	7.4
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	IPA Maintainers
QA Contact:	Varun Mylaraiah
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2017-03-29 04:07 EDT by Petr Vobornik
Modified:	2017-08-01 05:47 EDT (History)
CC List:	7 users (show)

See Also:
Fixed In Version:	ipa-4.5.0-6.el7
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-08-01 05:47:49 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2304	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2017-08-01 08:41:35 EDT

Groups: None (edit)

Description Petr Vobornik 2017-03-29 04:07:01 EDT

Cloned from upstream: https://pagure.io/freeipa/issue/6827

While investigating issue 6660, samba logs were showing:

    [2017/03/28 17:02:35.471728,  0] ../source3/passdb/lookup_sid.c:1605(get_primary_group_sid)
      Failed to find a Unix account for DOM-AD$

This happens in calls to ldapsam_getsampwnam(), which eventually calls get_primary_group_sid() for the trusted domain entry. As the entry does not contain any gidNumber, the call fails.
The gidNumber attribute should be added when the trusted domain entry is created.

Comment 2 Petr Vobornik 2017-03-29 04:07:18 EDT

Upstream ticket:
https://pagure.io/freeipa/issue/6827

Comment 3 Martin Bašti 2017-04-07 06:39:46 EDT

Fixed upstream
master:
https://pagure.io/freeipa/c/e052c2dce04f5ce147dc2b6804f44705fa4d69df
https://pagure.io/freeipa/c/5405de5bc15941d71137af10aa66a6cf922d9e6d
ipa-4-5:
https://pagure.io/freeipa/c/91d36941653476abfff6a54ba7cb5a9f2c12c22d
https://pagure.io/freeipa/c/eddd29f1d52d63ea702437b0dd2a2826df52bc26

Comment 8 Varun Mylaraiah 2017-05-30 13:35:21 EDT

Verified
ipa-server-4.5.0-13.el7.x86_64

Trusted domain entry contain a gidNumber attribute

# ldapsearch -Y GSSAPI -Q -LLL -b "cn=Default SMB Group,cn=groups,cn=accounts,$BASEDN" gidNumber

dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=sudoexsm33,dc=test
gidNumber: 1986800001


# ldapsearch -Y GSSAPI -Q -LLL -b cn=$ADDOMAIN,cn=ad,cn=trusts,$BASEDN -s base gidNumber

dn: cn=pne.qe,cn=ad,cn=trusts,dc=sudoexsm33,dc=test
gidNumber: 1986800001

Comment 9 errata-xmlrpc 2017-08-01 05:47:49 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304

Note You need to log in before you can comment on or make changes to this bug.