Bug 871576 - sssd does not resolve group names from AD
sssd does not resolve group names from AD
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.4
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
: Regression
: 869336 873143 (view as bug list)
Depends On: 867874
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-30 14:42 EDT by Jakub Hrozek
Modified: 2013-02-21 04:39 EST (History)
15 users (show)

See Also:
Fixed In Version: sssd-1.9.2-6.el6
Doc Type: Bug Fix
Doc Text:
No Documentation Needed
Story Points: ---
Clone Of: 867874
Environment:
Last Closed: 2013-02-21 04:39:17 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jakub Hrozek 2012-10-30 14:42:21 EDT
+++ This bug was initially created as a clone of Bug #867874 +++

Description of problem:
When a system is an AD member, configured for the Active Directory Test Day for Fedora 18[1], I can log into the system with an AD account, so the username is resolved. The name of the primary group of the user, however ('Domain Users') is not resolved.

Version-Release number of selected component (if applicable):
1.9.2-1.fc18

How reproducible:


Steps to Reproduce:
1. Join a system to an AD domain, like for the FTD, see [1]
2. Log in as a user from AD
3. Try and resolve groups
  
Actual results:
Output of id is like this:
$ id
uid=592801111(NONTOONYT\testuser03) gid=592800513 groups=592800513 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Expected results:
Output of id to be like this:
$ id
uid=1001(localuser) gid=1002(localuser) groups=1002(localuser),1001(localgroup) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Additional info:

[1] https://fedoraproject.org/wiki/QA:Testcase_Active_Directory_realmd_join_sssd

--- Additional comment from maxim@wzzrd.com on 2012-10-18 09:43:34 EDT ---

Not just about primary group:

[root@f18-client db]# sss_cache -U -G
[root@f18-client db]# id NONTOONYT\\testuser02
uid=592801110(NONTOONYT\testuser02) gid=592800513 groups=592800513,592801132,592801133

--- Additional comment from stefw@redhat.com on 2012-10-18 10:16:27 EDT ---

My primary group name is resolved, but others not:

uid=535601104(RADI08\swalter) gid=535600513(RADI08\domain users) groups=535600513(RADI08\domain users),535600512,535600572 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

--- Additional comment from stijn@sandcat.nl on 2012-10-18 10:20:47 EDT ---

I see the same as Maxim, no group is resolved.

[root@pclin282 ~]# sss_cache -U -G
[root@pclin282 ~]# id TUE\\shoop
uid=1579415011(TUE\shoop) gid=1579400513 groups=1579400513,1579473836,1579538705,1579448448,1579553386,1579428775,1579437677,1579429452,1579448447,1579583761,1579422111,1579423170,1579432939,1579400520,1579430980,1579422100,1579499949,1579567116,1579476603,1579431050,1579560682,1579402481

--- Additional comment from stefw@redhat.com on 2012-10-18 10:57:24 EDT ---

(In reply to comment #2)
> My primary group name is resolved, but others not:
> 
> uid=535601104(RADI08\swalter) gid=535600513(RADI08\domain users)
> groups=535600513(RADI08\domain users),535600512,535600572
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

On a later login on the same machine (no reboots or anything) the primary group is no longer resolved:

id: cannot find name for group ID 535600513
[RADI08\swalter@live-user ~]$ id
uid=535601104(RADI08\swalter) gid=535600513 groups=535600513,535600512,535600572 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

--- Additional comment from jhrozek@redhat.com on 2012-10-18 11:15:42 EDT ---

Please include debug_level=10 into the [nss] and [domain/$name] sections of the SSSD, restart the SSSD and then attach the contents of /var/log/sssd/

Thank you!

--- Additional comment from stefw@redhat.com on 2012-10-19 01:47:50 EDT ---

Created attachment 629776 [details]
sssd logs that were requested.

I logged in as RADI08\swalter. In this case the primary group resolved, but not secondary groups. 

I then restarted sssd.

Next I logged in as RADI08\fry. No groups resolved.

uid=535601115(RADI08\fry) gid=535600513 groups=535600513,535601127,535601128 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Next I logged in again as RADI08\swalter. No groups resolved for swalter this time.

uid=535601104(RADI08\swalter) gid=535600513 groups=535600513,535600512,535600572 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

--- Additional comment from dpal@redhat.com on 2012-10-19 08:59:19 EDT ---

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1590
Comment 1 Jakub Hrozek 2012-10-30 14:43:57 EDT
Upstream has a patch. This would break the AD provider if not fixed in RHEL-6.4.0
Comment 3 Jakub Hrozek 2012-11-02 10:16:12 EDT
*** Bug 869336 has been marked as a duplicate of this bug. ***
Comment 5 Kaushik Banerjee 2012-11-06 08:49:49 EST
*** Bug 873143 has been marked as a duplicate of this bug. ***
Comment 6 Scott Poore 2012-11-07 13:15:41 EST
Verified.

Version ::

sssd-1.9.2-7.el6.x86_64

Manual Test Results:

[root@rhel6-1 yum.local.d]# ssh -l adtestuser1@adtestdom.com rhel6-1
adtestuser1@adtestdom.com@rhel6-1's password: 
Last login: Wed Nov  7 13:10:55 2012 from rhel6-1.testrelm.com

-sh-4.1$ id
uid=1232801136(adtestuser1@adtestdom.com) gid=1232801136(adtestuser1@adtestdom.com) groups=1232801136(adtestuser1@adtestdom.com),1606000004(adtestdom_adtestgroup1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Comment 11 errata-xmlrpc 2013-02-21 04:39:17 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html

Note You need to log in before you can comment on or make changes to this bug.