Bug 1436987 - ipasam: gidNumber attribute is not created in the trusted domain entry
Summary: ipasam: gidNumber attribute is not created in the trusted domain entry
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Varun Mylaraiah
Depends On:
TreeView+ depends on / blocked
Reported: 2017-03-29 08:07 UTC by Petr Vobornik
Modified: 2017-08-01 09:47 UTC (History)
7 users (show)

Fixed In Version: ipa-4.5.0-6.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-08-01 09:47:49 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-03-29 08:07:01 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/6827

While investigating issue 6660, samba logs were showing:

    [2017/03/28 17:02:35.471728,  0] ../source3/passdb/lookup_sid.c:1605(get_primary_group_sid)
      Failed to find a Unix account for DOM-AD$

This happens in calls to ldapsam_getsampwnam(), which eventually calls get_primary_group_sid() for the trusted domain entry. As the entry does not contain any gidNumber, the call fails.
The gidNumber attribute should be added when the trusted domain entry is created.

Comment 2 Petr Vobornik 2017-03-29 08:07:18 UTC
Upstream ticket:

Comment 8 Varun Mylaraiah 2017-05-30 17:35:21 UTC

Trusted domain entry contain a gidNumber attribute

# ldapsearch -Y GSSAPI -Q -LLL -b "cn=Default SMB Group,cn=groups,cn=accounts,$BASEDN" gidNumber

dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=sudoexsm33,dc=test
gidNumber: 1986800001

# ldapsearch -Y GSSAPI -Q -LLL -b cn=$ADDOMAIN,cn=ad,cn=trusts,$BASEDN -s base gidNumber

dn: cn=pne.qe,cn=ad,cn=trusts,dc=sudoexsm33,dc=test
gidNumber: 1986800001

Comment 9 errata-xmlrpc 2017-08-01 09:47:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.