Bug 1478252 - Querying the AD domain for external domain's ID can mark the AD domain offline [rhel-7.4.z]
Querying the AD domain for external domain's ID can mark the AD domain offli...
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
All All
urgent Severity urgent
: rc
: ---
Assigned To: SSSD Maintainers
Sudhir Menon
: ZStream
Depends On: 1474711
  Show dependency treegraph
Reported: 2017-08-04 02:42 EDT by Oneata Mircea Teodor
Modified: 2017-09-05 07:24 EDT (History)
11 users (show)

See Also:
Fixed In Version: sssd-1.15.2-50.el7_4.2
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1474711
Last Closed: 2017-09-05 07:24:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Oneata Mircea Teodor 2017-08-04 02:42:10 EDT
This bug has been copied from bug #1474711 and has been proposed to be backported to 7.4 z-stream (EUS).
Comment 3 Sudhir Menon 2017-08-18 05:49:47 EDT
Marking the bug as verified as the AD domain is not marked offline when domain resolution order is changed.

Verified on RHEL7.4 using 

#ipa trust-add --range-type=ipa-ad-trust-posix --two-way=true

[root@cypher sssd]# ipa trust-find
1 trust matched
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778
  Trust type: Active Directory domain
  UPN suffixes: test.qa, pune.in
Number of entries returned 1
[root@cypher sssd]# ipa idrange-find
2 ranges matched
  Range name: PNE.QE_id_range
  First Posix ID of the range: 1261600000
  Number of IDs in the range: 200000
  Domain SID of the trusted domain: S-1-5-21-2202318585-426110948-4011710778
  Range type: Active Directory trust range with POSIX attributes

  Range name: TESTRELM.TEST_id_range
  First Posix ID of the range: 315200000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range
Number of entries returned 2

[root@cypher sssd]#  ipa config-mod --domain-resolution-order='pne.qe:testrelm.test'
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.TEST
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash, KDC:Disable Last Success
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  IPA masters: cypher.testrelm.test
  IPA CA servers: cypher.testrelm.test
  IPA NTP servers: cypher.testrelm.test
  IPA CA renewal master: cypher.testrelm.test
  IPA master capable of PKINIT: cypher.testrelm.test
  Domain resolution order: pne.qe:testrelm.test  <------- 

[root@cypher ~]# id ipauser1
uid=315200004(ipauser1) gid=315200004(ipauser1) groups=315200004(ipauser1)

====sssd log===
(Fri Aug 18 05:13:26 2017) [sssd[be[testrelm.test]]] [sss_domain_get_state] (0x1000): Domain pne.qe is Active
(Fri Aug 18 05:13:26 2017) [sssd[be[testrelm.test]]] [sss_domain_get_state] (0x1000): Domain chd.pne.qe is Active
(Fri Aug 18 05:13:26 2017) [sssd[be[testrelm.test]]] [link_forest_roots] (0x2000): [testrelm.test] is a forest root
(Fri Aug 18 05:13:26 2017) [sssd[be[testrelm.test]]] [sss_domain_get_state] (0x1000): Domain pne.qe is Active
(Fri Aug 18 05:13:26 2017) [sssd[be[testrelm.test]]] [sss_domain_get_state] (0x1000): Domain chd.pne.qe is Active
(Fri Aug 18 05:13:26 2017) [sssd[be[testrelm.test]]] [sss_domain_get_state] (0x1000): Domain pne.qe is Active
Comment 5 errata-xmlrpc 2017-09-05 07:24:49 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.