Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1585020

Summary: Enable compat tree to provide information about AD users and groups on trust agents
Product: Red Hat Enterprise Linux 8 Reporter: Alexander Bokovoy <abokovoy>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: dsimes, frenaud, gparente, ldelouw, mvarun, pasik, pvoborni, rcritten, ssidhaye, tscherf, twoerner
Target Milestone: rcKeywords: TestCaseProvided
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.8.7-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1817919 (view as bug list) Environment:
Last Closed: 2020-11-04 02:50:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1817919    

Description Alexander Bokovoy 2018-06-01 07:24:53 UTC 
RHEL IdM has an option to enable serving information about AD users and groups in the compatibility tree (RFC2307) when converting IdM master to AD trust controller. At the same time, AD trust controller can designate other IdM masters to be able to resolve information about AD users and groups by promoting them to AD trust agents.

However, there is no way to configure the compatibility tree on AD trust agents to serve information about AD users and groups. As result, if legacy clients are configured to use the compatibility tree on AD trust agents as opposed to AD trust controllers, information about AD users' group membership will be missing.

We should provide means to enable this functionality in the compatibility tree on AD trust agents independently from converting AD trust agent to AD trust controller.
Comment 2 Florence Blanc-Renaud 2018-06-25 15:15:55 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7600
Comment 4 Alexander Bokovoy 2020-02-11 17:23:45 UTC 
*** Bug 1801791 has been marked as a duplicate of this bug. ***
Comment 5 Florence Blanc-Renaud 2020-03-05 13:46:36 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/68c72e344a29e27416af428f6dbf5300c85e66e1
https://pagure.io/freeipa/c/911992b8bf33b40f650ec406444ca8b9b847b54e
https://pagure.io/freeipa/c/fc4c3ac795e3af48fcfd8dd51085f5ff98047f1e

The last commit adds a test in  ipatests/test_integration/test_adtrust_install.py::TestIpaAdTrustInstall
Comment 6 Florence Blanc-Renaud 2020-03-10 17:16:53 UTC 
Fixed upstream:
ipa-4-8:
https://pagure.io/freeipa/c/66154f8bf79584b8fa6792e3d2ca534900dfa481
https://pagure.io/freeipa/c/5edc674e7262ce4506c40b8c066207f9e5f55c33
https://pagure.io/freeipa/c/4afd6e5e07061dde6e30b5352668bdf23cd6dedd

ipa-4-7:
https://pagure.io/freeipa/c/2b5c409c3031696a358d57def4dc2e98142ef643
https://pagure.io/freeipa/c/3a880ff64d44156fa274ef13ea726fe78cd37f2e
https://pagure.io/freeipa/c/59b09f154b9d85d937da64d6fe271d09c5b61bc1

ipa-4-6:
https://pagure.io/freeipa/c/d051d2d47a36c79fd2c20733437fda95f443f053
https://pagure.io/freeipa/c/f9fcd2c7fb7823becb3a6b68da4b0bf2c1db229f
https://pagure.io/freeipa/c/796c86ac701d23d1dd281d0d5c5331b9a66c2888
Comment 7 Florence Blanc-Renaud 2020-03-11 08:42:40 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/233a18b2a24d814518a119bd3f1688a0eb361917
https://pagure.io/freeipa/c/1fbc4e01ea5be004f7c57cb71df2d37659271d68

ipa-4-8:
https://pagure.io/freeipa/c/21c923c4cf21f30f20ec4b21c488db6f6fa92b67
https://pagure.io/freeipa/c/df0df14bf31dba5800747aa08824b24b8be41eab

ipa-4-7:
https://pagure.io/freeipa/c/1fccdd00d53bc71e87ab5a4b1c68ab6e3efcce8c

ipa-4-6:
https://pagure.io/freeipa/c/79f9ba5557d14e74ab29b85407c5de5622d7ea35

On master and ipa-4-8 the additional commit handles the selinux policy changes. It was not backported to ipa-4-6 and ipa-4-7 as freeipa-selinux subpackage was introduced in ipa-4-8 only.
Comment 13 Varun Mylaraiah 2020-08-10 11:42:02 UTC 
Based on the automation test result, marking the bug VERIFIED.
Comment 14 Varun Mylaraiah 2020-08-10 11:43:08 UTC 
Attached report.html in comment 12
Comment 17 errata-xmlrpc 2020-11-04 02:50:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4670