Created attachment 1781991 [details] deployment-script Created attachment 1781991 [details] deployment-script # Topology ``` /\ /\ / \ / \ / \ / \ / \ / \ / \ One way cross forest transitive trust / \ / \ <----------------------------------------- / \ /EXAMPLE.COM\ /MYDOMAIN.COM\ /______________\ /______________\ \ | \ | \ | \ One way cross forest transitive trust +-----------------------+ /\ <----------------------------------- | RHEL7.9 joined | / \ | to the above domain | /CHILD\ +-----------------------+ /______\ 1. RHEL7.9 uses realm join MYDOMAIN.COM 2. And uses adcli join CHILD.EXAMPLE.COM 3. MYDOMAIN.COM has a one way: outgoing trust to EXAMPLE.COM and CHILD.EXAMPLE.COM ``` # Issues 1. I uses following script to add a RHEL7 client to AD [ad-sssd-rhel7-v2.txt](https://github.com/SSSD/sssd/files/6458299/ad-sssd-rhel7-v2.txt) 2. sssd version is: ``` [root@ip-172-31-7-69 ~]# rpm -qa | grep sssd python-sssdconfig-1.16.5-10.el7_9.7.noarch sssd-client-1.16.5-10.el7_9.7.x86_64 sssd-krb5-common-1.16.5-10.el7_9.7.x86_64 sssd-ipa-1.16.5-10.el7_9.7.x86_64 sssd-krb5-1.16.5-10.el7_9.7.x86_64 sssd-proxy-1.16.5-10.el7_9.7.x86_64 sssd-common-1.16.5-10.el7_9.7.x86_64 sssd-common-pac-1.16.5-10.el7_9.7.x86_64 sssd-ad-1.16.5-10.el7_9.7.x86_64 sssd-ldap-1.16.5-10.el7_9.7.x86_64 sssd-1.16.5-10.el7_9.7.x86_64 ``` 3. user `terry-child` is from domain CHILD.EXAMPLE.COM; `terry-example` is from domain EXAMPLE.COM and `admin` is from domain MYDOMAIN.COM. Only id terry-child and admin can return correct information. ``` [root@ip-172-31-7-69 ~]# id admin uid=704201113(admin) gid=704200513(domain users) groups=704200513(domain users) [root@ip-172-31-7-69 ~]# id terry-child uid=1872601114(terry-child) gid=1872600513(domain users) groups=1872600513(domain users) ``` 4. id terry-example will return `no such user` unless I use fully qualified user name ``` [root@ip-172-31-7-69 ~]# id terry-example id: terry-example: no such user [root@ip-172-31-7-69 ~]# id terry-example uid=1952601113(terry-example) gid=1952601113(terry-example) groups=1952601113(terry-example),1952600513(domain users) ``` 5. Both uid and gid will be mapped to `terry-example`, but the users from the domain the linux client joined directly will be mapped to terry-child and domain users. ``` [root@ip-172-31-7-69 ~]# ll /home/ total 0 drwx------. 2 terry-child domain users 83 May 11 10:22 terry-child drwx------. 2 terry-example terry-example 83 May 11 09:07 terry-example ``` # Action Require 1. id/getent passwd shortname of a user from trusted subdomain returns correct information 2. uid and gid should be mapped the shortnames of a user # sssd logs [sssd.tar.gz](https://github.com/SSSD/sssd/files/6458827/sssd.tar.gz)
Created attachment 1781992 [details] sssd logs with debug_level = 8
Hi, please see my comment in https://github.com/SSSD/sssd/issues/5626. Let's continue there for the time being. bye, Sumit