Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1826720

Summary:	SSSD doesn't honour the customized ID view created in IPA
Product:	Red Hat Enterprise Linux 8	Reporter:	Alexey Tikhonov <atikhono>
Component:	sssd	Assignee:	Pavel Březina <pbrezina>
Status:	CLOSED ERRATA	QA Contact:	sssd-qe <sssd-qe>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.2	CC:	grajaiya, jhrozek, lslebodn, mniranja, mzidek, pbrezina, sgoveas, thalman, tscherf
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:	sync-to-jira
Fixed In Version:	sssd-2.3.0-1.el8	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:	1786341	Environment:
Last Closed:	2020-11-04 02:05:05 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Alexey Tikhonov 2020-04-22 12:16:10 UTC

This bug was initially created as a copy of Bug #1786341

I am copying this bug to track fix for RHEL8



Description of problem:
SSSD doesn't honour the customized ID view created in IPA. 
The trust AD users lose their AD domains roughly 5minutes later, which cause problem with sudorule as the sudorule is defined for the <ad accountname>@<AD domain>.

Version-Release number of selected component (if applicable):
sssd-1.16.4-21.el7_7.1.x86_64
sssd-client-1.16.4-21.el7_7.1.x86_64
sssd-ipa-1.16.4-21.el7_7.1.x86_64
sssd-ad-1.16.4-21.el7_7.1.x86_64


How reproducible:
The issue can easily be reproduced.


Steps to Reproduce:
1. Establish AD trust with IPA
2. Create a customized ID view on the IPA server 
# ipa idview-show "Madrid Trust View" --all
  dn: cn=Madrid Trust View,cn=views,cn=accounts,dc=lx,dc=testdomain,dc=com
  ID View Name: Madrid Trust View
  User object overrides: bmorgan.com, cmorgan.com
  Hosts the view applies to: ipaclient.lx.testdomain.com
  objectclass: ipaIDView, top, nsContainer

3. Override the uid, gid and home directory for a trust AD user on the IPA server :
# ipa idoverrideuser-show  "Madrid Trust View"  "bmorgan.com" --all
  dn: ipaanchoruuid=:SID:S-1-5-21-2806753506-2769157711-2121680027-1108,cn=Madrid Trust View,cn=views,cn=accounts,dc=lx,dc=testdomain,dc=com
  Anchor to override: bmorgan.com
  UID: 10001
  GID: 10000
  Home directory: /home/bmorgan
  ipaoriginaluid: bmorgan.com
  objectclass: ipaOverrideAnchor, top, ipaUserOverride, ipasshuser, ipaSshGroupOfPubKeys


4. Stop the SSSD, clear the old SSSD cache and restart SSSD on a IPA client
# date; rm -rf /var/log/sssd/*  /var/lib/sss/{mc,db}/*
Tue 24 Dec 11:27:51 GMT 2019
# date; systemctl start sssd
Tue 24 Dec 11:28:40 GMT 2019


5. As root on the IPA client:
# ldbsearch -H cache_lx.testdomain.com.ldb > /var/tmp/ldbsearch-before.txt
asq: Unable to register control with rootdse!
# ldbsearch -H timestamps_lx.testdomain.com.ldb > /var/tmp/ldbsearch-before-timestamp.txt 
# date; sssctl user-checks bmorgan.com
Tue 24 Dec 11:30:54 GMT 2019
user: bmorgan.com
action: acct
service: system-auth

SSSD nss user lookup result:
 - user name: bmorgan.com
 - user id: 10001
 - group id: 10000
 - gecos: Beth Morgan
 - home directory: /home/bmorgan
 - shell: 

SSSD InfoPipe user lookup result:
 - name: bmorgan.com
 - uidNumber: 10001
 - gidNumber: 10000
 - gecos: Beth Morgan
 - homeDirectory: /home/bmorgan
 - loginShell: 

testing pam_acct_mgmt

pam_acct_mgmt: Success

PAM Environment:
 - no env -
# date; sssctl user-show bmorgan.com
Tue 24 Dec 11:31:02 GMT 2019
Name: bmorgan.com
Cache entry creation date: 12/24/19 11:28:45
Cache entry last update time: 12/24/19 11:30:54
Cache entry expiration time: 12/24/19 13:00:54
Initgroups expiration time: 12/24/19 13:00:54
Cached in InfoPipe: No


6. As the trusted AD user on the IPA client:
# su - bmorgan.com
Creating home directory for bmorgan.com.
Last login: Tue Dec 24 11:04:46 GMT 2019 on pts/1
-sh-4.2$ date; ls -al
Tue 24 Dec 11:29:05 GMT 2019
total 12
drwx------. 5 bmorgan.com adminfr 107 Dec 24 11:28 .
drwxr-xr-x. 4 root                      root     33 Dec 24 11:28 ..
-rw-------. 1 bmorgan.com adminfr  18 Dec 24 11:28 .bash_logout
-rw-------. 1 bmorgan.com adminfr 193 Dec 24 11:28 .bash_profile
-rw-------. 1 bmorgan.com adminfr 231 Dec 24 11:28 .bashrc
drwxr-xr-x. 3 bmorgan.com adminfr  18 Dec 24 11:28 .cache
drwxr-xr-x. 3 bmorgan.com adminfr  18 Dec 24 11:28 .config
drwx------. 4 bmorgan.com adminfr  39 Dec 24 11:28 .mozilla
-sh-4.2$ date; ls -an
Tue 24 Dec 11:29:21 GMT 2019
total 12
drwx------. 5 10001 10000 107 Dec 24 11:28 .
drwxr-xr-x. 4     0     0  33 Dec 24 11:28 ..
-rw-------. 1 10001 10000  18 Dec 24 11:28 .bash_logout
-rw-------. 1 10001 10000 193 Dec 24 11:28 .bash_profile
-rw-------. 1 10001 10000 231 Dec 24 11:28 .bashrc
drwxr-xr-x. 3 10001 10000  18 Dec 24 11:28 .cache
drwxr-xr-x. 3 10001 10000  18 Dec 24 11:28 .config
drwx------. 4 10001 10000  39 Dec 24 11:28 .mozilla
-sh-4.2$ date; getent passwd 10001
Tue 24 Dec 11:29:30 GMT 2019
bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan:
-sh-4.2$ date; id
Tue 24 Dec 11:29:43 GMT 2019
uid=10001(bmorgan.com) gid=10000(adminfr) groups=10000(adminfr),130800513(domain users.com),130801109(employees.com),926800005(madrid_admins),926800006(madrid_adminfr_internal) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.2$ date; sudo -ll
Tue 24 Dec 11:29:50 GMT 2019
[sudo] password for bmorgan.com: 
Matching Defaults entries for bmorgan.com on ipa76client:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User bmorgan.com may run the following commands on ipaclient:

LDAP Role: madrid-sudorule
    RunAsUsers: root
    Commands:
	/usr/bin/less
	!/usr/bin/chcon

-sh-4.2$ date; strings /var/lib/sss/mc/passwd
Tue 24 Dec 11:30:03 GMT 2019
bmorgan.com      <<<<<<<<<<<<<<<<<<<<<<
Beth Morgan
/home/bmorgan
-sh-4.2$ while true;
> do date; getent passwd 10001; sleep 30; done | tee -a /var/tmp/b.txt
Tue 24 Dec 11:30:23 GMT 2019
bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan:
Tue 24 Dec 11:30:53 GMT 2019
bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan:
Tue 24 Dec 11:31:23 GMT 2019
bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan:
Tue 24 Dec 11:31:53 GMT 2019
bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan:
Tue 24 Dec 11:32:23 GMT 2019
bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan:
Tue 24 Dec 11:32:53 GMT 2019
bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan:
Tue 24 Dec 11:33:23 GMT 2019
bmorgan.com:*:10001:10000:Beth Morgan:/home/bmorgan:
Tue 24 Dec 11:33:53 GMT 2019
bmorgan:*:10001:10000:Beth Morgan:/home/bmorgan:   <<<<<<<<<<<<<<<<<<<<Roughly five minutes later>>>>>>>>>>>>>>>>>>>>>>>>
Tue 24 Dec 11:34:23 GMT 2019
bmorgan:*:10001:10000:Beth Morgan:/home/bmorgan:
Tue 24 Dec 11:34:53 GMT 2019
bmorgan:*:10001:10000:Beth Morgan:/home/bmorgan:
Tue 24 Dec 11:35:23 GMT 2019
bmorgan:*:10001:10000:Beth Morgan:/home/bmorgan:
^C
-sh-4.2$  date; ls -al
Tue 24 Dec 11:35:47 GMT 2019
total 16
drwx------. 5 bmorgan adminfr 128 Dec 24 11:35 .
drwxr-xr-x. 4 root    root     33 Dec 24 11:28 ..
-rw-------. 1 bmorgan adminfr 207 Dec 24 11:35 .bash_history
-rw-------. 1 bmorgan adminfr  18 Dec 24 11:28 .bash_logout
-rw-------. 1 bmorgan adminfr 193 Dec 24 11:28 .bash_profile
-rw-------. 1 bmorgan adminfr 231 Dec 24 11:28 .bashrc
drwxr-xr-x. 3 bmorgan adminfr  18 Dec 24 11:28 .cache
drwxr-xr-x. 3 bmorgan adminfr  18 Dec 24 11:28 .config
drwx------. 4 bmorgan adminfr  39 Dec 24 11:28 .mozilla
-sh-4.2$ date; ls -an
Tue 24 Dec 11:35:55 GMT 2019
total 16
drwx------. 5 10001 10000 128 Dec 24 11:35 .
drwxr-xr-x. 4     0     0  33 Dec 24 11:28 ..
-rw-------. 1 10001 10000 207 Dec 24 11:35 .bash_history
-rw-------. 1 10001 10000  18 Dec 24 11:28 .bash_logout
-rw-------. 1 10001 10000 193 Dec 24 11:28 .bash_profile
-rw-------. 1 10001 10000 231 Dec 24 11:28 .bashrc
drwxr-xr-x. 3 10001 10000  18 Dec 24 11:28 .cache
drwxr-xr-x. 3 10001 10000  18 Dec 24 11:28 .config
drwx------. 4 10001 10000  39 Dec 24 11:28 .mozilla
-sh-4.2$ date; getent passwd 10001
Tue 24 Dec 11:36:00 GMT 2019
bmorgan:*:10001:10000:Beth Morgan:/home/bmorgan:
-sh-4.2$ date; id
Tue 24 Dec 11:36:05 GMT 2019
uid=10001(bmorgan) gid=10000(adminfr) groups=10000(adminfr),130800513(domain users.com),130801109(employees.com),926800005(madrid_admins),926800006(madrid_adminfr_internal) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.2$  date; sudo -ll
Tue 24 Dec 11:36:09 GMT 2019

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for bmorgan: 
Sorry, try again.
[sudo] password for bmorgan: 
Sorry, try again.
[sudo] password for bmorgan: 
sudo: 3 incorrect password attempts
-sh-4.2$ date; strings /var/lib/sss/mc/passwd
Tue 24 Dec 11:36:33 GMT 2019
bmorgan                      <<<<<<<<<<<<<<<<<<<<<<<
Beth Morgan
/home/bmorgan


One interesting point, running "id -a bmorgan.com" as ROOT seems to fix the issue temporarily.

Actual results:


Expected results:


Additional info:
No problem with the "Default trust view"

Comment 1 Alexey Tikhonov 2020-04-22 12:20:39 UTC

* `master`
    * 1b84c3a1f17f59e134bb882f0f15109d18599193 - sysdb: check if the id override belongs to requested domain

Comment 4 Niranjan Mallapadi Raghavender 2020-08-04 11:45:07 UTC

Versions:

Server:
ipa-server-dns-4.8.7-7.module+el8.3.0+7376+c83e4fcd.noarch
ipa-server-4.8.7-7.module+el8.3.0+7376+c83e4fcd.x86_64
ipa-server-trust-ad-4.8.7-7.module+el8.3.0+7376+c83e4fcd.x86_64
ipa-server-common-4.8.7-7.module+el8.3.0+7376+c83e4fcd.noarch


Client:
ipa-client-4.8.7-7.module+el8.3.0+7376+c83e4fcd.x86_64
ipa-client-common-4.8.7-7.module+el8.3.0+7376+c83e4fcd.noarch
sssd-client-2.3.0-6.el8.x86_64
sssd-common-pac-2.3.0-6.el8.x86_64
sssd-ipa-2.3.0-6.el8.x86_64
sssd-tools-2.3.0-6.el8.x86_64
sssd-nfs-idmap-2.3.0-6.el8.x86_64
sssd-kcm-2.3.0-6.el8.x86_64
sssd-common-2.3.0-6.el8.x86_64
sssd-dbus-2.3.0-6.el8.x86_64
sssd-krb5-common-2.3.0-6.el8.x86_64

Windows AD: 2012R2

1. Established AD Trust with Windows
[root@server ~]# ipa trust-show cygnus.test
  Realm name: cygnus.test
  Domain NetBIOS name: CYGNUS
  Domain Security Identifier: S-1-5-21-362265945-4067830278-750207296
  Trust direction: Trusting forest
  Trust type: Active Directory domain

2. Created customized ID Views

  dn: ipaanchoruuid=:SID:S-1-5-21-362265945-4067830278-750207296-1108,cn=foobar_ad_client,cn=views,cn=accounts,dc=example,dc=test
  Anchor to override: foobar1
  UID: 23000
  GID: 23000
  ipaoriginaluid: foobar1
  objectclass: ipaOverrideAnchor, top, ipaUserOverride, ipasshuser, ipaSshGroupOfPubKeys

3. Override the uid, gid and home directory for the user foobar1
  dn: ipaanchoruuid=:SID:S-1-5-21-362265945-4067830278-750207296-1108,cn=foobar_ad_client,cn=views,cn=accounts,dc=example,dc=test
  Anchor to override: foobar1
  UID: 23000
  GID: 23000
  Home directory: /home/ad/foobar1
  ipaoriginaluid: foobar1
  objectclass: ipaOverrideAnchor, top, ipaUserOverride, ipasshuser, ipaSshGroupOfPubKeys


4. Login as foobar1 ipa client 

script.sh" 12L, 208C written

5. Clear sssd cache. 
[root@client tmp]# systemctl stop sssd
[root@client tmp]# date; rm -rf /var/log/sssd/*  /var/lib/sss/{mc,db}/*
Tue Aug  4 16:13:24 IST 2020
[root@client tmp]# date; systemctl start sssd
Tue Aug  4 16:13:26 IST 2020
[root@client tmp]# su - foobar1
Last login: Tue Aug  4 16:09:49 IST 2020 on pts/0

[foobar1@client ~]$ pwd
/home/ad/foobar1

Execute the below script:
cat //tmp/script.sh 
x=1
while [ $x -le 15 ]
do
        pwd
        date;getent passwd 23000 | grep -w "foobar1"
        if [ $? -ne 0 ]; then
                    echo "1346401108 found at count $x"
                        break   
        fi
        x=$(( $x + 1 ))
        sleep 30
done


[foobar1@client ~]$ sh /tmp/script.sh
/home/ad/foobar1
Tue Aug  4 16:13:41 IST 2020
foobar1:*:23000:23000:foobar1:/home/ad/foobar1:
/home/ad/foobar1
Tue Aug  4 16:14:11 IST 2020
foobar1:*:23000:23000:foobar1:/home/ad/foobar1:
/home/ad/foobar1
Tue Aug  4 16:14:41 IST 2020
foobar1:*:23000:23000:foobar1:/home/ad/foobar1:
/home/ad/foobar1
Tue Aug  4 16:15:11 IST 2020
foobar1:*:23000:23000:foobar1:/home/ad/foobar1:
/home/ad/foobar1
Tue Aug  4 16:15:41 IST 2020
foobar1:*:23000:23000:foobar1:/home/ad/foobar1:
/home/ad/foobar1
Tue Aug  4 16:16:11 IST 2020
foobar1:*:23000:23000:foobar1:/home/ad/foobar1:
/home/ad/foobar1
Tue Aug  4 16:16:41 IST 2020
foobar1:*:23000:23000:foobar1:/home/ad/foobar1:
/home/ad/foobar1
Tue Aug  4 16:17:11 IST 2020
foobar1:*:23000:23000:foobar1:/home/ad/foobar1:
/home/ad/foobar1
Tue Aug  4 16:17:41 IST 2020
foobar1:*:23000:23000:foobar1:/home/ad/foobar1:
/home/ad/foobar1
Tue Aug  4 16:18:11 IST 2020
foobar1:*:23000:23000:foobar1:/home/ad/foobar1:
/home/ad/foobar1
Tue Aug  4 16:18:41 IST 2020
foobar1:*:23000:23000:foobar1:/home/ad/foobar1:
/home/ad/foobar1
Tue Aug  4 16:19:11 IST 2020
foobar1:*:23000:23000:foobar1:/home/ad/foobar1:
/home/ad/foobar1
Tue Aug  4 16:19:41 IST 2020
foobar1:*:23000:23000:foobar1:/home/ad/foobar1:
/home/ad/foobar1
Tue Aug  4 16:20:11 IST 2020
foobar1:*:23000:23000:foobar1:/home/ad/foobar1:
/home/ad/foobar1
Tue Aug  4 16:20:41 IST 2020
foobar1:*:23000:23000:foobar1:/home/ad/foobar1:

UID and GID lookups are successful . Marking it verified.

Comment 7 errata-xmlrpc 2020-11-04 02:05:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4569