Red Hat Bugzilla – Bug 869616
Issues when adding AD user as member of external group
Last modified: 2015-09-29 03:09:18 EDT
Description of problem: 1> Cannot use name of AD User, but have to use wmic to get SID for this user to add as a member to an external group wmic useraccount get name,sid 2> when adding duplicate AD user behaviour is different from regular duplicate user # ipa group-add-member --user=ttt aa Group name: aa Description: aaa External member: s-1-5-21-2048782538-2375889789-2933420090-1175, s-1-5-21-2048782538-2375889789-2933420090-1176, s-1-5-21-2048782538-2375889789-2933420090-1179, s-1-5-21-2048782538-2375889789-2933420090-1155, s-1-5-21-2048782538-2375889789-2933420090-1100 Member users: ttt Member groups: ttt Failed members: member user: ttt: This entry is already a member member group: ------------------------- Number of members added 0 ------------------------- # ipa group-add-member --external=s-1-5-21-2048782538-2375889789-2933420090-1175 aa [member user]: [member group]: Group name: aa Description: aaa External member: s-1-5-21-2048782538-2375889789-2933420090-1175, s-1-5-21-2048782538-2375889789-2933420090-1176, s-1-5-21-2048782538-2375889789-2933420090-1179, s-1-5-21-2048782538-2375889789-2933420090-1155, s-1-5-21-2048782538-2375889789-2933420090-1100 Member users: ttt Member groups: ttt ------------------------- Number of members added 0 ------------------------- 2> Can use invalid SIDs - and message says member was added.(-1100 is invalid) [root@xdong ~]# ipa group-add-member --external=s-1-5-21-2048782538-2375889789-2933420090-1100 Group name: bb [member user]: [member group]: Group name: bb Description: bb External member: s-1-5-21-2048782538-2375889789-2933420090-1175, s-1-5-21-2048782538-2375889789-2933420090-1100 ------------------------- Number of members added 1 ------------------------- How reproducible: always Steps to Reproduce: Actual results: Expected results: Additional info:
Version-Release number of selected component (if applicable): ipa-server-3.0.0-105.20121018T0250zgit1cc4f7e.el6.x86_64
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3211
Fixed upstream. master: fc3834ca46fa986694be6a94f0a51d74e9e532a8 ipa-3-0: 4cf3c2d5053bad8e62a80ffa586f8d5c1f7e41cd
https://fedorahosted.org/freeipa/ticket/3126
Created bug #874671 to cover missing error message as separate case/issue here.
Created bug #874674 to cover invalid/non-existent SID adds as a separate case/issue here.
Verified. It should be noted that the 1> case is the only one fixed here. The other two (2>) cases are being handled in the separate bugs listed in comment #5 and comment #6. Version :: ipa-server-3.0.0-8.el6.x86_64 Manual Test Results :: [root@rhel6-1 ~]# ipa group-add --desc='adtestdom.com adtestgroup1' adtestdom_adtestgroup1 ------------------------------------ Added group "adtestdom_adtestgroup1" ------------------------------------ Group name: adtestdom_adtestgroup1 Description: adtestdom.com adtestgroup1 GID: 1735800006 [root@rhel6-1 ~]# ipa group-add --desc='adtestdom.com adtestgroup1 external' adtestdom_adtestgroup1_external --external --------------------------------------------- Added group "adtestdom_adtestgroup1_external" --------------------------------------------- Group name: adtestdom_adtestgroup1_external Description: adtestdom.com adtestgroup1 external [root@rhel6-1 ~]# ipa group-add-member adtestdom_adtestgroup1 --groups=adtestdom_adtestgroup1_external Group name: adtestdom_adtestgroup1 Description: adtestdom.com adtestgroup1 GID: 1735800006 Member groups: adtestdom_adtestgroup1_external ------------------------- Number of members added 1 ------------------------- [root@rhel6-1 ~]# ipa group-add-member adtestdom_adtestgroup1_external --external "ADTESTDOM\adtestgroup1" [member user]: [member group]: Group name: adtestdom_adtestgroup1_external Description: adtestdom.com adtestgroup1 external External member: S-1-5-21-1246088475-3077293710-2580964704-1135 Member of groups: adtestdom_adtestgroup1 ------------------------- Number of members added 1 -------------------------
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html
now it's able to add by name but unable to delete by name [root@rt aduser1]# rpm -q ipa-server ipa-server-3.0.0-25.el6.x86_64 [root@rt aduser1]# ipa group-add-member adgroup1 --external "ADLAB\aduser1" [member user]: [member group]: Group name: adgroup1 Description: adgroup1 External member: S-1-5-21-3452862912-1583780823-338435951-1139 ------------------------- Number of members added 1 ------------------------- [root@rt aduser1]# ipa group-remove-member adgroup1 --external "ADLAB\aduser1" [member user]: [member group]: Group name: adgroup1 Description: adgroup1 External member: S-1-5-21-3452862912-1583780823-338435951-1139 --------------------------- Number of members removed 0 --------------------------- [root@rt aduser1]# ipa group-remove-member adgroup1 --external=S-1-5-21-3452862912-1583780823-338435951-1139 [member user]: [member group]: Group name: adgroup1 Description: adgroup1 External member: --------------------------- Number of members removed 1 ---------------------------
The suggestion is that it used to work. Is that the case? I don't think it did. We'd need a new bug to add this functionality.